66 merge_group :
77 types : [checks_requested]
88
9+ permissions :
10+ contents : read
11+ actions : read
12+
913# This is what will cancel the workflow
1014concurrency :
1115 group : ${{ github.workflow }}-${{ github.ref }}
1216 cancel-in-progress : true
1317
1418jobs :
19+ workflow-security :
20+ name : Workflow security analysis
21+ runs-on : ubuntu-24.04
22+ permissions :
23+ contents : read # required for actions/checkout to read workflow sources
24+ actions : read # required for zizmor online audits in private repositories
25+ security-events : write # required for SARIF upload
26+ steps :
27+ - name : Checkout repository
28+ uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
29+ with :
30+ persist-credentials : false
31+
32+ - name : Run zizmor
33+ id : zizmor
34+ uses : zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
35+ with :
36+ inputs : .github/workflows/test_pr_changes.yml
37+ version : 1.25.2
38+ persona : pedantic
39+ min-severity : informational
40+ min-confidence : low
41+ config : .github/zizmor.yml
42+
43+ - name : Fail if zizmor reported findings
44+ env :
45+ sarifFilePath : ${{ steps.zizmor.outputs.output-file }}
46+ run : |
47+ findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")"
48+ echo "zizmor findings: $findingsCount"
49+ test "$findingsCount" -eq 0
50+
1551 # This job will tell us which frameworks have source code changes.
1652 # We'll use the results to run tests only for changed frameworks.
1753 detect-changes :
1854 name : Detect PR Changes
55+ needs : [workflow-security]
1956 if : ${{ github.event.pull_request.draft != true }}
2057 runs-on : ubuntu-24.04
2158 # Set job outputs to values from filter step
@@ -24,10 +61,12 @@ jobs:
2461
2562 steps :
2663 - uses : actions/checkout@v4
64+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2765 if : ${{ github.event_name == 'merge_group' }} # on PR, paths-filter can access list of changed files from event payload
2866 with :
67+ persist-credentials : false
2968 lfs : ' false' # as long as we use lfs only for snapshotTesting it should not be useful here
30- - uses : dorny/paths-filter@v3
69+ - uses : dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3
3170 id : filter
3271 with :
3372 filters : |
@@ -139,20 +178,32 @@ jobs:
139178 needs : [detect-changes, decide-strategy]
140179 name : PR Tests
141180 if : ${{ needs.decide-strategy.outputs.use_parallel != 'true' }}
181+ permissions :
182+ contents : read # required for called workflow repository checkout
183+ pull-requests : write # required for called workflow test result publication
184+ checks : write # required for called workflow check annotations
142185 uses : ./.github/workflows/_reusable_run_tests.yml
143186 with :
144187 folders : ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }}
145188 notify_secret : WIRE_IOS_CI_WEBHOOK
146189 test_dependencies : ${{ github.event_name != 'pull_request' || startsWith(github.base_ref, 'release/cycle') }}
147190 run_critical_flows : false # separate workflow
148191 notify : failure
149- secrets : inherit
192+ secrets :
193+ ZENKINS_USERNAME : ${{ secrets.ZENKINS_USERNAME }}
194+ DD_API_KEY : ${{ secrets.DD_API_KEY }}
195+ OP_SERVICE_ACCOUNT_TOKEN : ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }}
196+ WIRE_IOS_CI_WEBHOOK : ${{ secrets.WIRE_IOS_CI_WEBHOOK }}
150197
151198 # ββ Parallel ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
152199 trigger_tests_pr_parallel :
153200 needs : [detect-changes, decide-strategy]
154201 name : PR Tests
155202 if : ${{ needs.decide-strategy.outputs.use_parallel == 'true' }}
203+ permissions :
204+ contents : read # required for called workflow repository checkout
205+ pull-requests : write # required for called workflow test result publication
206+ checks : write # required for called workflow check annotations
156207 uses : ./.github/workflows/_reusable_run_tests_parallel.yml
157208 with :
158209 folders : ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }}
0 commit comments