Skip to content

ci: integrate zizmor workflow security gate into iOS CI#4750

Open
screendriver wants to merge 2 commits into
developfrom
zizmor
Open

ci: integrate zizmor workflow security gate into iOS CI#4750
screendriver wants to merge 2 commits into
developfrom
zizmor

Conversation

@screendriver

Copy link
Copy Markdown
Member

Issue

Add a dedicated workflow-security job to the shared iOS build workflow to enforce GitHub Actions security auditing with zizmor, and make it a hard gate for the rest of the pipeline.


Checklist

  • Title contains a reference JIRA issue number like [WPB-XXX].
  • Description is filled and free of optional paragraphs.
  • Adds/updates automated tests.

UI accessibility checklist

If your PR includes UI changes, please utilize this checklist:

  • Make sure you use the API for UI elements that support large fonts.
  • All colors are taken from WireDesign.ColorTheme or constructed using WireDesign.BaseColorPalette.
  • New UI elements have Accessibility strings for VoiceOver.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Comment thread .github/workflows/test_pr_changes.yml Fixed
Comment thread .github/workflows/test_pr_changes.yml Fixed
Comment thread .github/workflows/test_pr_changes.yml Fixed
Comment thread .github/workflows/test_pr_changes.yml Fixed
Comment thread .github/workflows/test_pr_changes.yml Fixed
Add a dedicated workflow-security job to the shared iOS build workflow to enforce GitHub Actions security auditing with [zizmor](https://github.com/zizmorcore/zizmor), and make it a hard gate for the rest of the pipeline.
@github-actions

github-actions Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

Test Results

0 tests   0 ✅  0s ⏱️
0 suites  0 💤
0 files    0 ❌

Results for commit 45a159f.

♻️ This comment has been updated with latest results.

Summary: workflow run #27532399395

@screendriver screendriver enabled auto-merge May 21, 2026 12:17
@johnxnguyen johnxnguyen requested a review from netbe June 15, 2026 07:59
@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@netbe netbe left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

left some comments before approving.

Also @screendriver could you reference a JIRA ticket for this in the title "ci: ... - WPB-XXX" ?


permissions:
contents: read # required for workflows that need repository checkout access
actions: read # required for reading workflow/action metadata

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: should this be fixed?

types: [checks_requested]

permissions:
contents: read # required for workflows that need repository checkout access

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: should this be fixed?

Comment on lines +27 to +30
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

question: Does this need to run on separate job? Why not run zizmor step within the detect-changes so we don't pay twice the checkout and job costs?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants