Skip to content

Commit bddc956

Browse files
ci: harden actions and add linter (withastro#13917)
Co-authored-by: Armand Philippot <git@armand.philippot.eu>
1 parent 5501776 commit bddc956

10 files changed

Lines changed: 49 additions & 2 deletions

File tree

.github/workflows/ci.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ concurrency:
1111
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}
1212
cancel-in-progress: true
1313

14+
permissions: {}
15+
1416
env:
1517
NODE_OPTIONS: "--max_old_space_size=8192"
1618

.github/workflows/contributors.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on:
55
- cron: '0 3 * * SUN'
66
workflow_dispatch:
77

8+
permissions: {}
9+
810
jobs:
911
contributors:
1012
name: docs_contributors

.github/workflows/discord-congrats.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,8 @@ on:
44
push:
55
branches: [main]
66

7+
permissions: {}
8+
79
jobs:
810
congrats:
911
name: congratsbot

.github/workflows/discord-i18n-ping.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on:
55
- cron: '0 10 * * TUE'
66
workflow_dispatch:
77

8+
permissions: {}
9+
810
jobs:
911
translation:
1012
name: translation_tuesday

.github/workflows/format.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on:
55
branches:
66
- main
77

8+
permissions: {}
9+
810
jobs:
911
format:
1012
runs-on: ubuntu-latest

.github/workflows/lint-ja-docs.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
- 'src/content/docs/ja/**'
1212
- '.textlintrc.ja.json'
1313

14+
permissions: {}
15+
1416
# Automatically cancel in-progress actions on the same branch
1517
concurrency:
1618
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }}

.github/workflows/lunaria.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@ name: Lunaria
22

33
on:
44
# Trigger the workflow every time a pull request is opened or synchronized at the target `main` branch
5+
# zizmor: ignore[dangerous-triggers]
56
pull_request_target:
67
types: [opened, synchronize]
78

.github/workflows/nightly.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on:
55
- cron: '0 12 * * *'
66
workflow_dispatch:
77

8+
permissions: {}
9+
810
jobs:
911
docgen:
1012
name: Generate Reference Docs

.github/workflows/welcome-bot.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,17 +1,19 @@
11
name: WelcomeBot
22

33
on:
4+
# zizmor: ignore[dangerous-triggers]
45
pull_request_target:
56
branches: [main]
67
types: [opened]
78

8-
permissions:
9-
pull-requests: write
9+
permissions: {}
1010

1111
jobs:
1212
welcome:
1313
name: Welcome First Time Contributors
1414
runs-on: ubuntu-latest
15+
permissions:
16+
pull-requests: write
1517
steps:
1618
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1719
- uses: zephyrproject-rtos/action-first-interaction@58853996b1ac504b8e0f6964301f369d2bb22e5c

.github/workflows/zizmor.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
name: GitHub Actions Security Analysis with zizmor 🌈
2+
3+
on:
4+
push:
5+
branches: ["main"]
6+
pull_request:
7+
branches: ["**"]
8+
9+
permissions: {}
10+
11+
jobs:
12+
zizmor:
13+
name: Run zizmor 🌈
14+
runs-on: ubuntu-latest
15+
permissions:
16+
security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
17+
contents: read # Only needed for private repos. Needed to clone the repo.
18+
actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info.
19+
steps:
20+
- name: Checkout repository
21+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
22+
with:
23+
persist-credentials: false
24+
25+
- name: Run zizmor 🌈
26+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
27+
with:
28+
inputs: '.github/workflows/'
29+
min-confidence: medium
30+
min-severity: medium

0 commit comments

Comments
 (0)