Skip to content

Commit 2475403

Browse files
committed
Add zizmor static analysis to CI
Add zizmor workflow security scanner as a CI job to detect common GitHub Actions misconfigurations and vulnerabilities. Uses SARIF output for GitHub security tab integration. A .github/zizmor.yml config allows ref-pinned refs for our own posit-dev/images-shared/* composite actions while requiring hash-pinning for all third-party actions.
1 parent 0b281b1 commit 2475403

2 files changed

Lines changed: 22 additions & 0 deletions

File tree

.github/workflows/ci.yml

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,10 +29,12 @@ jobs:
2929
- bakery
3030
- bakery-native
3131
- release
32+
- zizmor
3233

3334
steps:
3435
- uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # release/v1
3536
with:
37+
allowed-skips: zizmor
3638
jobs: ${{ toJSON(needs) }}
3739

3840
test:
@@ -132,6 +134,17 @@ jobs:
132134
context: "./posit-bakery/test/resources/multiplatform/"
133135
dev-versions: include
134136

137+
zizmor:
138+
name: Zizmor
139+
runs-on: ubuntu-latest
140+
permissions:
141+
security-events: write
142+
steps:
143+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
144+
with:
145+
persist-credentials: false
146+
- uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
147+
135148
with-macros-clean-caches:
136149
name: Clean Caches (with-macros suite)
137150
permissions:

.github/zizmor.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
rules:
2+
unpinned-uses:
3+
config:
4+
policies:
5+
# First-party composite actions are kept at branch refs
6+
# (e.g. @main) intentionally; SHA-pinning them would
7+
# defeat the purpose of reusable shared actions.
8+
"posit-dev/images-shared/*": ref-pin
9+
"*": hash-pin

0 commit comments

Comments
 (0)