Skip to content

Commit c0ef6cc

Browse files
estebany-qdDavidonium
estebany-qd
and
Davidonium
authored
feat: add zizmor security scanner (#78)
* feat: add zizmor security scanner * fix: address security findings * chore: remove config file and inline the rule ignoring so that it's tunable by workflow instead of global Added mise.lock file so that sha checksums are done when downloading dependencies so that they can be cached * chore: remove zizmor tag on GITHUB_TOKEN, it's an exempt case --------- Co-authored-by: dhernando <david.hernando91@gmail.com>
1 parent 39db564 commit c0ef6cc

File tree

7 files changed

+160
-2
lines changed

7 files changed

+160
-2
lines changed

.github/workflows/build.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ jobs:
1919
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2020
with:
2121
fetch-depth: 0
22+
persist-credentials: false
2223

2324
- name: Set up tools
2425
uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3

.github/workflows/ci.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@ jobs:
1717
steps:
1818
- name: Checkout
1919
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
20+
with:
21+
persist-credentials: false
2022

2123
- name: Set up tools
2224
uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
@@ -34,6 +36,8 @@ jobs:
3436
steps:
3537
- name: Checkout
3638
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
39+
with:
40+
persist-credentials: false
3741

3842
- name: Set up tools
3943
uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
@@ -48,6 +52,8 @@ jobs:
4852
steps:
4953
- name: Checkout
5054
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
55+
with:
56+
persist-credentials: false
5157

5258
- name: Set up tools
5359
uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3

.github/workflows/lint-workflows.yaml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
name: Lint workflows
2+
on:
3+
pull_request:
4+
paths:
5+
- '.github/workflows/**'
6+
7+
jobs:
8+
zizmor:
9+
name: Security audit
10+
runs-on: ubuntu-latest
11+
permissions:
12+
security-events: write
13+
contents: read
14+
actions: read
15+
steps:
16+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
17+
with:
18+
persist-credentials: false
19+
- uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
20+
with:
21+
persona: regular
22+
min-severity: medium

.github/workflows/release.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ jobs:
1515
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
1616
with:
1717
fetch-depth: 0
18+
persist-credentials: false
1819

1920
- uses: jdx/mise-action@5228313ee0372e111a38da051671ca30fc5a96db # v3.6.3
2021
with:

.github/workflows/releaser-pleaser.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@ name: releaser-pleaser
33
on:
44
push:
55
branches: [main]
6-
pull_request_target:
6+
pull_request_target: # zizmor: ignore[dangerous-triggers]
77
types:
88
- edited
99
- labeled
@@ -23,6 +23,6 @@ jobs:
2323
- name: releaser-pleaser
2424
uses: apricote/releaser-pleaser@a1ce9493fd3f3abe60f22c37249d257bc10081dc # v0.8.0
2525
with:
26-
token: ${{ secrets.RELEASER_PLEASER_TOKEN }}
26+
token: ${{ secrets.RELEASER_PLEASER_TOKEN }} # zizmor: ignore[secrets-outside-env]
2727
extra-files: |
2828
cmd/qcloud/main.go

mise.lock

Lines changed: 125 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,125 @@
1+
# @generated - this file is auto-generated by `mise lock` https://mise.jdx.dev/dev-tools/mise-lock.html
2+
3+
[[tools."github:golangci/golangci-lint"]]
4+
version = "2.11.3"
5+
backend = "github:golangci/golangci-lint"
6+
7+
[tools."github:golangci/golangci-lint"."platforms.linux-arm64"]
8+
checksum = "sha256:ee3d95f301359e7d578e6d99c8ad5aeadbabc5a13009a30b2b0df11c8058afe9"
9+
url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-arm64.tar.gz"
10+
url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749014"
11+
provenance = "github-attestations"
12+
13+
[tools."github:golangci/golangci-lint"."platforms.linux-arm64-musl"]
14+
checksum = "sha256:ee3d95f301359e7d578e6d99c8ad5aeadbabc5a13009a30b2b0df11c8058afe9"
15+
url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-arm64.tar.gz"
16+
url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749014"
17+
provenance = "github-attestations"
18+
19+
[tools."github:golangci/golangci-lint"."platforms.linux-x64"]
20+
checksum = "sha256:87bb8cddbcc825d5778b64e8a91b46c0526b247f4e2f2904dea74ec7450475d1"
21+
url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-amd64.tar.gz"
22+
url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370748984"
23+
provenance = "github-attestations"
24+
25+
[tools."github:golangci/golangci-lint"."platforms.linux-x64-musl"]
26+
checksum = "sha256:87bb8cddbcc825d5778b64e8a91b46c0526b247f4e2f2904dea74ec7450475d1"
27+
url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-linux-amd64.tar.gz"
28+
url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370748984"
29+
provenance = "github-attestations"
30+
31+
[tools."github:golangci/golangci-lint"."platforms.macos-arm64"]
32+
checksum = "sha256:30ee39979c516b9d1adca289a3f93429d130c4c0fda5e57d637850894221f6cc"
33+
url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-darwin-arm64.tar.gz"
34+
url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749042"
35+
provenance = "github-attestations"
36+
37+
[tools."github:golangci/golangci-lint"."platforms.macos-x64"]
38+
checksum = "sha256:f93bda1f2cc981fd1326464020494be62f387bbf262706e1b3b644e5afacc440"
39+
url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-darwin-amd64.tar.gz"
40+
url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749038"
41+
provenance = "github-attestations"
42+
43+
[tools."github:golangci/golangci-lint"."platforms.windows-x64"]
44+
checksum = "sha256:cd42e890176bc5cfeb36225a77e66b9410ddd3a59a03551e23f6b210d29e1f67"
45+
url = "https://github.com/golangci/golangci-lint/releases/download/v2.11.3/golangci-lint-2.11.3-windows-amd64.zip"
46+
url_api = "https://api.github.com/repos/golangci/golangci-lint/releases/assets/370749053"
47+
provenance = "github-attestations"
48+
49+
[[tools."github:goreleaser/goreleaser"]]
50+
version = "2.14.3"
51+
backend = "github:goreleaser/goreleaser"
52+
53+
[tools."github:goreleaser/goreleaser"."platforms.linux-arm64"]
54+
checksum = "sha256:581a10e53c1176b3e81ee45cf531e02dbf899db0bc7b795669347df4276ce948"
55+
url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_arm64.tar.gz"
56+
url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190230"
57+
provenance = "github-attestations"
58+
59+
[tools."github:goreleaser/goreleaser"."platforms.linux-arm64-musl"]
60+
checksum = "sha256:581a10e53c1176b3e81ee45cf531e02dbf899db0bc7b795669347df4276ce948"
61+
url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_arm64.tar.gz"
62+
url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190230"
63+
provenance = "github-attestations"
64+
65+
[tools."github:goreleaser/goreleaser"."platforms.linux-x64"]
66+
checksum = "sha256:dc7faeeeb6da8bdfda788626263a4ae725892a8c7504b975c3234127d4a44579"
67+
url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_x86_64.tar.gz"
68+
url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190264"
69+
provenance = "github-attestations"
70+
71+
[tools."github:goreleaser/goreleaser"."platforms.linux-x64-musl"]
72+
checksum = "sha256:dc7faeeeb6da8bdfda788626263a4ae725892a8c7504b975c3234127d4a44579"
73+
url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Linux_x86_64.tar.gz"
74+
url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190264"
75+
provenance = "github-attestations"
76+
77+
[tools."github:goreleaser/goreleaser"."platforms.macos-arm64"]
78+
checksum = "sha256:6dae42fecaed39f36d0ac9ce98f36ee14804e483f5c1446e205796ac91b7be4e"
79+
url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Darwin_arm64.tar.gz"
80+
url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190287"
81+
provenance = "github-attestations"
82+
83+
[tools."github:goreleaser/goreleaser"."platforms.macos-x64"]
84+
checksum = "sha256:d8fcc408826058986df90950ce2824ed037e57e3229eb23dcf0badc8d23123bc"
85+
url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Darwin_x86_64.tar.gz"
86+
url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190276"
87+
provenance = "github-attestations"
88+
89+
[tools."github:goreleaser/goreleaser"."platforms.windows-x64"]
90+
checksum = "sha256:3deea8ff471aa258a2d99f3e5302971d7028647ae8ddaf103257a8113e485a31"
91+
url = "https://github.com/goreleaser/goreleaser/releases/download/v2.14.3/goreleaser_Windows_x86_64.zip"
92+
url_api = "https://api.github.com/repos/goreleaser/goreleaser/releases/assets/370190313"
93+
provenance = "github-attestations"
94+
95+
[[tools.go]]
96+
version = "1.26.0"
97+
backend = "core:go"
98+
99+
[tools.go."platforms.linux-arm64"]
100+
checksum = "sha256:bd03b743eb6eb4193ea3c3fd3956546bf0e3ca5b7076c8226334afe6b75704cd"
101+
url = "https://dl.google.com/go/go1.26.0.linux-arm64.tar.gz"
102+
103+
[tools.go."platforms.linux-arm64-musl"]
104+
checksum = "sha256:bd03b743eb6eb4193ea3c3fd3956546bf0e3ca5b7076c8226334afe6b75704cd"
105+
url = "https://dl.google.com/go/go1.26.0.linux-arm64.tar.gz"
106+
107+
[tools.go."platforms.linux-x64"]
108+
checksum = "sha256:aac1b08a0fb0c4e0a7c1555beb7b59180b05dfc5a3d62e40e9de90cd42f88235"
109+
url = "https://dl.google.com/go/go1.26.0.linux-amd64.tar.gz"
110+
111+
[tools.go."platforms.linux-x64-musl"]
112+
checksum = "sha256:aac1b08a0fb0c4e0a7c1555beb7b59180b05dfc5a3d62e40e9de90cd42f88235"
113+
url = "https://dl.google.com/go/go1.26.0.linux-amd64.tar.gz"
114+
115+
[tools.go."platforms.macos-arm64"]
116+
checksum = "sha256:b1640525dfe68f066d56f200bef7bf4dce955a1a893bd061de6754c211431023"
117+
url = "https://dl.google.com/go/go1.26.0.darwin-arm64.tar.gz"
118+
119+
[tools.go."platforms.macos-x64"]
120+
checksum = "sha256:1ca28b7703cbea05a65b2a1d92d6b308610ef92f8824578a0874f2e60c9d5a22"
121+
url = "https://dl.google.com/go/go1.26.0.darwin-amd64.tar.gz"
122+
123+
[tools.go."platforms.windows-x64"]
124+
checksum = "sha256:9bbe0fc64236b2b51f6255c05c4232532b8ecc0e6d2e00950bd3021d8a4d07d4"
125+
url = "https://dl.google.com/go/go1.26.0.windows-amd64.zip"

mise.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,3 +2,6 @@
22
go = "1.26.0"
33
"github:golangci/golangci-lint" = "2.11.3"
44
"github:goreleaser/goreleaser" = "v2.14.3"
5+
6+
[settings]
7+
lockfile = true

0 commit comments

Comments
 (0)