diff --git a/.github/workflows/_reusable_run_tests.yml b/.github/workflows/_reusable_run_tests.yml index 07d37bb546f..e0700a9cafa 100644 --- a/.github/workflows/_reusable_run_tests.yml +++ b/.github/workflows/_reusable_run_tests.yml @@ -39,6 +39,10 @@ on: required: true OP_SERVICE_ACCOUNT_TOKEN: required: true + WIRE_IOS_CI_WEBHOOK: + required: false + WIRE_IOS_NIGHTLY_WEBHOOK: + required: false env: # https://docs.fastlane.tools/getting-started/ios/setup/ LC_ALL: en_US.UTF-8 @@ -450,4 +454,3 @@ jobs: uses: ./.github/actions/upload-datadog-junit with: api_key: ${{ secrets.DD_API_KEY }} - diff --git a/.github/workflows/test_pr_changes.yml b/.github/workflows/test_pr_changes.yml index fb0f6236bd5..1c4251b4830 100644 --- a/.github/workflows/test_pr_changes.yml +++ b/.github/workflows/test_pr_changes.yml @@ -6,16 +6,53 @@ on: merge_group: types: [checks_requested] +permissions: + contents: read # required for workflows that need repository checkout access + actions: read # required for reading workflow/action metadata + # This is what will cancel the workflow concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: + workflow-security: + name: Workflow security analysis + runs-on: ubuntu-24.04 + permissions: + contents: read # required for actions/checkout to read workflow sources + actions: read # required for zizmor online audits in private repositories + security-events: write # required for SARIF upload + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + id: zizmor + uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 + with: + inputs: .github/workflows/test_pr_changes.yml + version: 1.25.2 + persona: pedantic + min-severity: informational + min-confidence: low + config: .github/zizmor.yml + + - name: Fail if zizmor reported findings + env: + sarifFilePath: ${{ steps.zizmor.outputs.output-file }} + run: | + findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")" + echo "zizmor findings: $findingsCount" + test "$findingsCount" -eq 0 + # This job will tell us which frameworks have source code changes. # We'll use the results to run tests only for changed frameworks. detect-changes: name: Detect PR Changes + needs: [workflow-security] if: ${{ github.event.pull_request.draft != true }} runs-on: ubuntu-24.04 # Set job outputs to values from filter step @@ -23,9 +60,10 @@ jobs: folders: ${{ steps.filter.outputs.changes }} steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 if: ${{ github.event_name == 'merge_group' }} # on PR, paths-filter can access list of changed files from event payload with: + persist-credentials: false lfs: 'false' # as long as we use lfs only for snapshotTesting it should not be useful here - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 id: filter @@ -139,6 +177,10 @@ jobs: needs: [detect-changes, decide-strategy] name: PR Tests if: ${{ needs.decide-strategy.outputs.use_parallel != 'true' }} + permissions: + contents: read # required for called workflow repository checkout + pull-requests: write # required for called workflow test result publication + checks: write # required for called workflow check annotations uses: ./.github/workflows/_reusable_run_tests.yml with: folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }} @@ -146,13 +188,21 @@ jobs: test_dependencies: ${{ github.event_name != 'pull_request' || startsWith(github.base_ref, 'release/cycle') }} run_critical_flows: false # separate workflow notify: failure - secrets: inherit + secrets: + ZENKINS_USERNAME: ${{ secrets.ZENKINS_USERNAME }} + DD_API_KEY: ${{ secrets.DD_API_KEY }} + OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} + WIRE_IOS_CI_WEBHOOK: ${{ secrets.WIRE_IOS_CI_WEBHOOK }} # ── Parallel ──────────────────────────────────────────────────────────────── trigger_tests_pr_parallel: needs: [detect-changes, decide-strategy] name: PR Tests if: ${{ needs.decide-strategy.outputs.use_parallel == 'true' }} + permissions: + contents: read # required for called workflow repository checkout + pull-requests: write # required for called workflow test result publication + checks: write # required for called workflow check annotations uses: ./.github/workflows/_reusable_run_tests_parallel.yml with: folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }} diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000000..fb035b679c4 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +--- +# All audits run with defaults; only configurable audits are overridden below. +# Persona, severity floor, and confidence floor are set in workflow files. +rules: + unpinned-uses: + config: + policies: + '*': hash-pin + + secrets-outside-env: + config: + allow: []