File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 66 merge_group :
77 types : [checks_requested]
88
9+ permissions :
10+ contents : read
11+ actions : read
12+ security-events : write
13+ pull-requests : write
14+ checks : write
15+
916# This is what will cancel the workflow
1017concurrency :
1118 group : ${{ github.workflow }}-${{ github.ref }}
1219 cancel-in-progress : true
1320
1421jobs :
22+ workflow-security :
23+ name : Workflow security analysis
24+ runs-on : ubuntu-24.04
25+ permissions :
26+ contents : read # required for actions/checkout to read workflow sources
27+ actions : read # required for zizmor online audits in private repositories
28+ security-events : write # required for SARIF upload
29+ steps :
30+ - name : Checkout repository
31+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
32+ with :
33+ persist-credentials : false
34+
35+ - name : Run zizmor
36+ id : zizmor
37+ uses : zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
38+ with :
39+ inputs : .github/workflows/test_pr_changes.yml
40+ version : 1.25.2
41+ persona : pedantic
42+ min-severity : informational
43+ min-confidence : low
44+ config : .github/zizmor.yml
45+
46+ - name : Fail if zizmor reported findings
47+ env :
48+ sarifFilePath : ${{ steps.zizmor.outputs.output-file }}
49+ run : |
50+ findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")"
51+ echo "zizmor findings: $findingsCount"
52+ test "$findingsCount" -eq 0
53+
1554 # This job will tell us which frameworks have source code changes.
1655 # We'll use the results to run tests only for changed frameworks.
1756 detect-changes :
1857 name : Detect PR Changes
58+ needs : [workflow-security]
1959 if : ${{ github.event.pull_request.draft != true }}
2060 runs-on : ubuntu-24.04
2161 # Set job outputs to values from filter step
Original file line number Diff line number Diff line change 1+ ---
2+ # All audits run with defaults; only configurable audits are overridden below.
3+ # Persona, severity floor, and confidence floor are set in workflow files.
4+ rules :
5+ unpinned-uses :
6+ config :
7+ policies :
8+ ' * ' : hash-pin
9+
10+ secrets-outside-env :
11+ config :
12+ allow : []
You can’t perform that action at this time.
0 commit comments