feat(actions): add zizmor and actionlint (#636)

setchy · web-flow · commit aae867d5583b · 2026-04-06T13:16:40.000-04:00
* fix(actions): zizmor fixes

Signed-off-by: Adam Setch &lt;adam.setch@outlook.com&gt;

* fix(actions): zizmor fixes

Signed-off-by: Adam Setch &lt;adam.setch@outlook.com&gt;

---------

Signed-off-by: Adam Setch &lt;adam.setch@outlook.com&gt;
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -6,26 +6,45 @@ on:
       - main
   pull_request:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
-  lint:
-    name: biomejs
+  lint-code:
+    name: Lint Code [biomejs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
-      
+
       - name: Setup Node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version-file: '.nvmrc'
-          cache: 'pnpm'
+          node-version-file: ".nvmrc"
+          cache: "pnpm"
 
       - run: pnpm install
       - run: pnpm lint:check
+
+  lint-actions:
+    name: Lint GitHub Actions [actionlint]
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+          sparse-checkout: .github/
+
+      - name: GitHub Actions linter
+        uses: docker://rhysd/actionlint:1.7.12@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,28 @@
+name: GitHub Actions Security Analysis
+
+on:
+    push:
+        branches:
+            - main
+    pull_request:
+        branches:
+            - "**"
+
+permissions: {}
+
+jobs:
+    zizmor:
+        name: Run zizmor 🌈
+        runs-on: ubuntu-latest
+        permissions:
+            security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+            contents: read # Only needed for private repos. Needed to clone the repo.
+            actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
+        steps:
+            - name: Checkout repository
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
+
+            - name: Run zizmor 🌈
+              uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
@@ -2,6 +2,7 @@
   "recommendations": [
     "astro-build.astro-vscode",
     "biomejs.biome",
-    "bradlc.vscode-tailwindcss"
+    "bradlc.vscode-tailwindcss",
+    "zizmor.zizmor-vscode"
   ]
 }

Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`"recommendations": [`
`3`	`3`	`"astro-build.astro-vscode",`
`4`	`4`	`"biomejs.biome",`
`5`		`- "bradlc.vscode-tailwindcss"`
	`5`	`+ "bradlc.vscode-tailwindcss",`
	`6`	`+ "zizmor.zizmor-vscode"`
`6`	`7`	`]`
`7`	`8`	`}`