Skip to content

Add CI: build/test, CodeQL and zizmor workflows #1

Add CI: build/test, CodeQL and zizmor workflows

Add CI: build/test, CodeQL and zizmor workflows #1

Workflow file for this run

# zizmor audits the GitHub Actions workflows themselves for security issues
# (injection, excessive permissions, unpinned actions, etc.).
# Results appear under the repository's "Security > Code scanning" tab.
name: zizmor
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
permissions:
contents: read
jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v6
# Audit all workflow files. continue-on-error so findings still get uploaded
# to code scanning instead of aborting before the upload step.
- name: Run zizmor
continue-on-error: true
run: uvx zizmor --format sarif . > zizmor.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: zizmor.sarif
category: zizmor