Skip to content

Commit b3ade9e

Browse files
committed
ci: integrate zizmor workflow security gate into iOS CI
Add a dedicated workflow-security job to the shared iOS build workflow to enforce GitHub Actions security auditing with [zizmor](https://github.com/zizmorcore/zizmor), and make it a hard gate for the rest of the pipeline.
1 parent 9f483d5 commit b3ade9e

2 files changed

Lines changed: 52 additions & 0 deletions

File tree

.github/workflows/test_pr_changes.yml

Lines changed: 40 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,16 +6,56 @@ on:
66
merge_group:
77
types: [checks_requested]
88

9+
permissions:
10+
contents: read
11+
actions: read
12+
security-events: write
13+
pull-requests: write
14+
checks: write
15+
916
# This is what will cancel the workflow
1017
concurrency:
1118
group: ${{ github.workflow }}-${{ github.ref }}
1219
cancel-in-progress: true
1320

1421
jobs:
22+
workflow-security:
23+
name: Workflow security analysis
24+
runs-on: ubuntu-24.04
25+
permissions:
26+
contents: read # required for actions/checkout to read workflow sources
27+
actions: read # required for zizmor online audits in private repositories
28+
security-events: write # required for SARIF upload
29+
steps:
30+
- name: Checkout repository
31+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
32+
with:
33+
persist-credentials: false
34+
35+
- name: Run zizmor
36+
id: zizmor
37+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
38+
with:
39+
inputs: .github/workflows/test_pr_changes.yml
40+
version: 1.25.2
41+
persona: pedantic
42+
min-severity: informational
43+
min-confidence: low
44+
config: .github/zizmor.yml
45+
46+
- name: Fail if zizmor reported findings
47+
env:
48+
sarifFilePath: ${{ steps.zizmor.outputs.output-file }}
49+
run: |
50+
findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")"
51+
echo "zizmor findings: $findingsCount"
52+
test "$findingsCount" -eq 0
53+
1554
# This job will tell us which frameworks have source code changes.
1655
# We'll use the results to run tests only for changed frameworks.
1756
detect-changes:
1857
name: Detect PR Changes
58+
needs: [workflow-security]
1959
if: ${{ github.event.pull_request.draft != true }}
2060
runs-on: ubuntu-24.04
2161
# Set job outputs to values from filter step

.github/zizmor.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
# All audits run with defaults; only configurable audits are overridden below.
3+
# Persona, severity floor, and confidence floor are set in workflow files.
4+
rules:
5+
unpinned-uses:
6+
config:
7+
policies:
8+
'*': hash-pin
9+
10+
secrets-outside-env:
11+
config:
12+
allow: []

0 commit comments

Comments
 (0)