|
28 | 28 | with: |
29 | 29 | egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }} |
30 | 30 | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 31 | + with: |
| 32 | + persist-credentials: false |
31 | 33 | # Ignores do not work: https://github.com/reviewdog/action-hadolint/issues/35 is resolved |
32 | 34 | - uses: reviewdog/action-hadolint@921946a7ebaaf08ac72607bad67209f4e52b5407 # v1.50.5 |
33 | 35 |
|
|
44 | 46 | with: |
45 | 47 | egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }} |
46 | 48 | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 49 | + with: |
| 50 | + persist-credentials: false |
47 | 51 | - uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e # v1.32.0 |
48 | 52 | with: |
49 | 53 | reporter: github-pr-review |
|
65 | 69 | with: |
66 | 70 | egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }} |
67 | 71 | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 72 | + with: |
| 73 | + persist-credentials: false |
68 | 74 | - run: | |
69 | 75 | echo "::add-matcher::.github/actionlint-matcher.json" |
70 | 76 | bash <(curl https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) |
|
80 | 86 | with: |
81 | 87 | egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }} |
82 | 88 | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 89 | + with: |
| 90 | + persist-credentials: false |
83 | 91 | - run: ./scripts/format-yaml-files.sh |
84 | 92 | shell: bash |
85 | 93 |
|
@@ -141,7 +149,37 @@ jobs: |
141 | 149 | with: |
142 | 150 | egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }} |
143 | 151 | - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 152 | + with: |
| 153 | + persist-credentials: false |
144 | 154 | - uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0 |
145 | 155 | with: |
146 | 156 | skip_push: "true" |
147 | 157 | review: "true" |
| 158 | + |
| 159 | + zizmor-lint: |
| 160 | + runs-on: ubuntu-latest |
| 161 | + name: PR - Zizmor |
| 162 | + # https://docs.zizmor.sh/ |
| 163 | + permissions: |
| 164 | + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. |
| 165 | + # contents: read # Only needed for private repos. Needed to clone the repo. |
| 166 | + # actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. |
| 167 | + steps: |
| 168 | + - name: Harden the runner |
| 169 | + uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 |
| 170 | + with: |
| 171 | + egress-policy: ${{ env.STEP_SECURITY_EGRESS_POLICY }} |
| 172 | + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 |
| 173 | + with: |
| 174 | + persist-credentials: false |
| 175 | + |
| 176 | + - name: Run zizmor |
| 177 | + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 |
| 178 | + with: |
| 179 | + # We only want to scan our workflows, no other included source |
| 180 | + input: | |
| 181 | + ".github/" |
| 182 | + # Upload to security tab in GitHub, requires permissions: security-events: write |
| 183 | + # Note this does not fail the workflow, just uploads the results to the security tab in GitHub |
| 184 | + advanced-security: true |
| 185 | + min-severity: "medium" |
0 commit comments