Skip to content

Commit 23669f6

Browse files
authored
Audit GitHub Actions, fix issues, and add zizmor job (#238)
On-behalf-of: @SAP marko.mudrinic@sap.com Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>
1 parent f9ec1dd commit 23669f6

5 files changed

Lines changed: 48 additions & 12 deletions

File tree

.github/workflows/ci.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ on:
1212
- closed
1313

1414
permissions:
15-
contents: read
15+
contents: read # Baseline for actions/checkout; elevated scopes are granted per-job
1616

1717
concurrency:
1818
group: pages-preview-${{ github.event.pull_request.number }}
@@ -22,12 +22,13 @@ jobs:
2222
build:
2323
runs-on: ubuntu-latest
2424
permissions:
25-
contents: write
26-
pull-requests: write
25+
contents: write # Needed to push the PR preview to the gh-pages branch
26+
pull-requests: write # Needed to comment the preview link on the PR
2727
steps:
2828
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
2929
with:
3030
fetch-depth: 0
31+
persist-credentials: false
3132
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
3233
with:
3334
node-version: 24

.github/workflows/ossf-scorecard.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ jobs:
1313
scorecard:
1414
uses: platform-mesh/.github/.github/workflows/job-ossf-scorecard.yml@068efd5c6c7a6d0c4b28f5887de7ca156cb5f7b8 # main
1515
permissions:
16-
security-events: write
17-
id-token: write
18-
contents: read
19-
actions: read
16+
security-events: write # Needed to upload Scorecard results to the GitHub Security tab
17+
id-token: write # Needed for keyless publishing of Scorecard results
18+
contents: read # Needed to read repository contents
19+
actions: read # Needed to read GitHub Actions workflows

.github/workflows/release.yml

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ on:
88
workflow_dispatch:
99

1010
permissions:
11-
contents: read
11+
contents: read # Baseline for actions/checkout; elevated scopes are granted per-job
1212

1313
concurrency:
1414
group: pages-${{ github.ref_name }}
@@ -18,25 +18,26 @@ jobs:
1818
build:
1919
runs-on: ubuntu-latest
2020
permissions:
21-
contents: write
21+
contents: write # Needed to push the built site to the gh-pages branch
2222
steps:
2323
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
2424
with:
2525
fetch-depth: 0
26+
persist-credentials: false
2627
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
2728
with:
2829
node-version: 24
29-
cache: npm
30+
cache: npm # zizmor: ignore[cache-poisoning]
3031

3132
- id: configure
3233
uses: actions/configure-pages@45bfe0192ca1faeb007ade9deae92b16b8254a0d # v6
3334

3435
- id: set-version
3536
name: Set documentation version
3637
run: |
37-
if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
38+
if [[ "${GITHUB_REF}" == "refs/heads/main" ]]; then
3839
echo "version=main" >> $GITHUB_OUTPUT
39-
elif [[ "${{ github.ref }}" == refs/heads/release-* ]]; then
40+
elif [[ "${GITHUB_REF}" == refs/heads/release-* ]]; then
4041
echo "version=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
4142
else
4243
echo "version=" >> $GITHUB_OUTPUT

.github/workflows/zizmor.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
name: Zizmor
2+
on:
3+
push:
4+
branches: [main]
5+
pull_request:
6+
branches: [main]
7+
schedule:
8+
- cron: '30 4 * * 1'
9+
workflow_dispatch:
10+
11+
permissions:
12+
contents: read
13+
14+
concurrency:
15+
group: ${{ github.workflow }}-${{ github.ref }}
16+
cancel-in-progress: true
17+
18+
jobs:
19+
zizmor:
20+
uses: platform-mesh/.github/.github/workflows/job-zizmor.yml@03e076ff9aebe43ead6b9d77f3bb764a9d411347 # main
21+
with:
22+
persona: 'auditor'
23+
permissions:
24+
security-events: write # Needed to write to the GitHub Security tab
25+
contents: read # Needed to read repository contents
26+
actions: read # Needed to read GitHub Actions workflows

.github/zizmor.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# zizmor configuration for platform-mesh.github.io workflows.
2+
# https://docs.zizmor.sh/configuration/
3+
rules:
4+
# Repo convention: jobs are identified by their key (e.g. `build`), not a
5+
# separate display name. Adding `name:` to every job would fight the
6+
# established style across the workflows here.
7+
anonymous-definition:
8+
disable: true

0 commit comments

Comments
 (0)