-
Notifications
You must be signed in to change notification settings - Fork 40
ci: integrate zizmor workflow security gate into iOS CI #4750
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -6,26 +6,64 @@ | |
| merge_group: | ||
| types: [checks_requested] | ||
|
|
||
| permissions: | ||
| contents: read # required for workflows that need repository checkout access | ||
|
Check warning on line 10 in .github/workflows/test_pr_changes.yml
|
||
| actions: read # required for reading workflow/action metadata | ||
|
Check warning on line 11 in .github/workflows/test_pr_changes.yml
|
||
|
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. question: should this be fixed? |
||
|
|
||
| # This is what will cancel the workflow | ||
| concurrency: | ||
| group: ${{ github.workflow }}-${{ github.ref }} | ||
| cancel-in-progress: true | ||
|
|
||
| jobs: | ||
| workflow-security: | ||
| name: Workflow security analysis | ||
| runs-on: ubuntu-24.04 | ||
| permissions: | ||
| contents: read # required for actions/checkout to read workflow sources | ||
| actions: read # required for zizmor online audits in private repositories | ||
| security-events: write # required for SARIF upload | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| with: | ||
| persist-credentials: false | ||
|
Comment on lines
+27
to
+30
Collaborator
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. question: Does this need to run on separate job? Why not run zizmor step within the |
||
|
|
||
| - name: Run zizmor | ||
| id: zizmor | ||
| uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 | ||
| with: | ||
| inputs: .github/workflows/test_pr_changes.yml | ||
| version: 1.25.2 | ||
| persona: pedantic | ||
| min-severity: informational | ||
| min-confidence: low | ||
| config: .github/zizmor.yml | ||
|
|
||
| - name: Fail if zizmor reported findings | ||
| env: | ||
| sarifFilePath: ${{ steps.zizmor.outputs.output-file }} | ||
| run: | | ||
| findingsCount="$(jq '[.runs[].results[]] | length' "$sarifFilePath")" | ||
| echo "zizmor findings: $findingsCount" | ||
| test "$findingsCount" -eq 0 | ||
|
|
||
| # This job will tell us which frameworks have source code changes. | ||
| # We'll use the results to run tests only for changed frameworks. | ||
| detect-changes: | ||
| name: Detect PR Changes | ||
| needs: [workflow-security] | ||
| if: ${{ github.event.pull_request.draft != true }} | ||
| runs-on: ubuntu-24.04 | ||
| # Set job outputs to values from filter step | ||
| outputs: | ||
| folders: ${{ steps.filter.outputs.changes }} | ||
|
|
||
| steps: | ||
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | ||
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | ||
| if: ${{ github.event_name == 'merge_group' }} # on PR, paths-filter can access list of changed files from event payload | ||
| with: | ||
| persist-credentials: false | ||
| lfs: 'false' # as long as we use lfs only for snapshotTesting it should not be useful here | ||
| - uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1 | ||
| id: filter | ||
|
|
@@ -139,20 +177,32 @@ | |
| needs: [detect-changes, decide-strategy] | ||
| name: PR Tests | ||
| if: ${{ needs.decide-strategy.outputs.use_parallel != 'true' }} | ||
| permissions: | ||
| contents: read # required for called workflow repository checkout | ||
| pull-requests: write # required for called workflow test result publication | ||
| checks: write # required for called workflow check annotations | ||
| uses: ./.github/workflows/_reusable_run_tests.yml | ||
| with: | ||
| folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }} | ||
| notify_secret: WIRE_IOS_CI_WEBHOOK | ||
| test_dependencies: ${{ github.event_name != 'pull_request' || startsWith(github.base_ref, 'release/cycle') }} | ||
| run_critical_flows: false # separate workflow | ||
| notify: failure | ||
| secrets: inherit | ||
| secrets: | ||
| ZENKINS_USERNAME: ${{ secrets.ZENKINS_USERNAME }} | ||
| DD_API_KEY: ${{ secrets.DD_API_KEY }} | ||
| OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} | ||
| WIRE_IOS_CI_WEBHOOK: ${{ secrets.WIRE_IOS_CI_WEBHOOK }} | ||
|
|
||
| # ── Parallel ──────────────────────────────────────────────────────────────── | ||
| trigger_tests_pr_parallel: | ||
| needs: [detect-changes, decide-strategy] | ||
| name: PR Tests | ||
| if: ${{ needs.decide-strategy.outputs.use_parallel == 'true' }} | ||
| permissions: | ||
| contents: read # required for called workflow repository checkout | ||
| pull-requests: write # required for called workflow test result publication | ||
| checks: write # required for called workflow check annotations | ||
| uses: ./.github/workflows/_reusable_run_tests_parallel.yml | ||
| with: | ||
| folders: ${{ join(fromJson(needs.detect-changes.outputs.folders), ',') }} | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,12 @@ | ||
| --- | ||
| # All audits run with defaults; only configurable audits are overridden below. | ||
| # Persona, severity floor, and confidence floor are set in workflow files. | ||
| rules: | ||
| unpinned-uses: | ||
| config: | ||
| policies: | ||
| '*': hash-pin | ||
|
|
||
| secrets-outside-env: | ||
| config: | ||
| allow: [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
question: should this be fixed?