Skip to content

Commit ce6a84f

Browse files
committed
ci: integrate zizmor workflow security gate into iOS CI
Add a dedicated workflow-security job to the shared iOS build workflow to enforce GitHub Actions security auditing with [zizmor](https://github.com/zizmorcore/zizmor), and make it a hard gate for the rest of the pipeline.
1 parent 9f483d5 commit ce6a84f

3 files changed

Lines changed: 69 additions & 3 deletions

File tree

β€Ž.github/workflows/_reusable_run_tests.ymlβ€Ž

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,10 @@ on:
3939
required: true
4040
OP_SERVICE_ACCOUNT_TOKEN:
4141
required: true
42+
WIRE_IOS_CI_WEBHOOK:
43+
required: false
44+
WIRE_IOS_NIGHTLY_WEBHOOK:
45+
required: false
4246

4347
env: # https://docs.fastlane.tools/getting-started/ios/setup/
4448
LC_ALL: en_US.UTF-8
@@ -461,4 +465,3 @@ jobs:
461465
uses: ./.github/actions/upload-datadog-junit
462466
with:
463467
api_key: ${{ secrets.DD_API_KEY }}
464-

β€Ž.github/workflows/test_pr_changes.ymlβ€Ž

Lines changed: 53 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,16 +6,53 @@ on:
66
merge_group:
77
types: [checks_requested]
88

9+
permissions:
10+
contents: read
11+
actions: read
12+
913
# This is what will cancel the workflow
1014
concurrency:
1115
group: ${{ github.workflow }}-${{ github.ref }}
1216
cancel-in-progress: true
1317

1418
jobs:
19+
workflow-security:
20+
name: Workflow security analysis
21+
runs-on: ubuntu-24.04
22+
permissions:
23+
contents: read # required for actions/checkout to read workflow sources
24+
actions: read # required for zizmor online audits in private repositories
25+
security-events: write # required for SARIF upload
26+
steps:
27+
- name: Checkout repository
28+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
29+
with:
30+
persist-credentials: false
31+
32+
- name: Run zizmor
33+
id: zizmor
34+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
35+
with:
36+
inputs: .github/workflows/test_pr_changes.yml
37+
version: 1.25.2
38+
persona: pedantic
39+
min-severity: informational
40+
min-confidence: low
41+
config: .github/zizmor.yml
42+
43+
- name: Fail if zizmor reported findings
44+
env:
45+
sarifFilePath: ${{ steps.zizmor.outputs.output-file }}
46+
run: |
47+
findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")"
48+
echo "zizmor findings: $findingsCount"
49+
test "$findingsCount" -eq 0
50+
1551
# This job will tell us which frameworks have source code changes.
1652
# We'll use the results to run tests only for changed frameworks.
1753
detect-changes:
1854
name: Detect PR Changes
55+
needs: [workflow-security]
1956
if: ${{ github.event.pull_request.draft != true }}
2057
runs-on: ubuntu-24.04
2158
# Set job outputs to values from filter step
@@ -24,10 +61,12 @@ jobs:
2461

2562
steps:
2663
- uses: actions/checkout@v4
64+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2765
if: ${{ github.event_name == 'merge_group' }} # on PR, paths-filter can access list of changed files from event payload
2866
with:
67+
persist-credentials: false
2968
lfs: 'false' # as long as we use lfs only for snapshotTesting it should not be useful here
30-
- uses: dorny/paths-filter@v3
69+
- uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
3170
id: filter
3271
with:
3372
filters: |
@@ -139,20 +178,32 @@ jobs:
139178
needs: [detect-changes, decide-strategy]
140179
name: PR Tests
141180
if: ${{ needs.decide-strategy.outputs.use_parallel != 'true' }}
181+
permissions:
182+
contents: read # required for called workflow repository checkout
183+
pull-requests: write # required for called workflow test result publication
184+
checks: write # required for called workflow check annotations
142185
uses: ./.github/workflows/_reusable_run_tests.yml
143186
with:
144187
folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }}
145188
notify_secret: WIRE_IOS_CI_WEBHOOK
146189
test_dependencies: ${{ github.event_name != 'pull_request' || startsWith(github.base_ref, 'release/cycle') }}
147190
run_critical_flows: false # separate workflow
148191
notify: failure
149-
secrets: inherit
192+
secrets:
193+
ZENKINS_USERNAME: ${{ secrets.ZENKINS_USERNAME }}
194+
DD_API_KEY: ${{ secrets.DD_API_KEY }}
195+
OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
196+
WIRE_IOS_CI_WEBHOOK: ${{ secrets.WIRE_IOS_CI_WEBHOOK }}
150197

151198
# ── Parallel ────────────────────────────────────────────────────────────────
152199
trigger_tests_pr_parallel:
153200
needs: [detect-changes, decide-strategy]
154201
name: PR Tests
155202
if: ${{ needs.decide-strategy.outputs.use_parallel == 'true' }}
203+
permissions:
204+
contents: read # required for called workflow repository checkout
205+
pull-requests: write # required for called workflow test result publication
206+
checks: write # required for called workflow check annotations
156207
uses: ./.github/workflows/_reusable_run_tests_parallel.yml
157208
with:
158209
folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }}

β€Ž.github/zizmor.ymlβ€Ž

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
# All audits run with defaults; only configurable audits are overridden below.
3+
# Persona, severity floor, and confidence floor are set in workflow files.
4+
rules:
5+
unpinned-uses:
6+
config:
7+
policies:
8+
'*': hash-pin
9+
10+
secrets-outside-env:
11+
config:
12+
allow: []

0 commit comments

Comments
Β (0)