Skip to content

Commit d827c4f

Browse files
committed
Fix hardened workflow checks
1 parent 540f3f0 commit d827c4f

7 files changed

Lines changed: 34 additions & 8 deletions

File tree

.github/workflows/mariadb.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ jobs:
7070

7171
services:
7272
mysql:
73-
image: mariadb:${{ matrix.mariadb }}
73+
image: mariadb:${{ matrix.mariadb }} # zizmor: ignore[unpinned-images]
7474
env:
7575
MARIADB_ALLOW_EMPTY_ROOT_PASSWORD: true
7676
MARIADB_ROOT_PASSWORD: ''

.github/workflows/mssql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -72,7 +72,7 @@ jobs:
7272

7373
services:
7474
mssql:
75-
image: mcr.microsoft.com/mssql/server:${{ matrix.mssql.server }}
75+
image: mcr.microsoft.com/mssql/server:${{ matrix.mssql.server }} # zizmor: ignore[unpinned-images]
7676
env:
7777
MSSQL_SA_PASSWORD: YourStrong!Passw0rd
7878
ACCEPT_EULA: Y

.github/workflows/mutation.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ jobs:
4646

4747
services:
4848
postgres:
49-
image: postgres:18
49+
image: postgres:18 # zizmor: ignore[unpinned-images]
5050
env:
5151
POSTGRES_USER: root
5252
POSTGRES_PASSWORD: root

.github/workflows/mysql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ jobs:
6262

6363
services:
6464
mysql:
65-
image: mysql:${{ matrix.mysql }}
65+
image: mysql:${{ matrix.mysql }} # zizmor: ignore[unpinned-images]
6666
env:
6767
MYSQL_ALLOW_EMPTY_PASSWORD: true
6868
MYSQL_PASSWORD: ''

.github/workflows/oracle.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -60,7 +60,7 @@ jobs:
6060

6161
services:
6262
oci:
63-
image: gvenzl/oracle-xe:${{ matrix.oracle }}
63+
image: gvenzl/oracle-xe:${{ matrix.oracle }} # zizmor: ignore[unpinned-images]
6464
ports:
6565
- 1521:1521
6666
env:

.github/workflows/pgsql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ jobs:
6969

7070
services:
7171
postgres:
72-
image: postgres:${{ matrix.pgsql }}
72+
image: postgres:${{ matrix.pgsql }} # zizmor: ignore[unpinned-images]
7373
env:
7474
POSTGRES_USER: root
7575
POSTGRES_PASSWORD: root

.github/workflows/zizmor.yml

Lines changed: 28 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: GitHub Actions Security Analysis with zizmor 🌈
1+
name: GitHub Actions Security Analysis with zizmor
22

33
on:
44
push:
@@ -15,4 +15,30 @@ permissions:
1515

1616
jobs:
1717
zizmor:
18-
uses: yiisoft/actions/.github/workflows/zizmor.yml@master
18+
name: Run zizmor
19+
runs-on: ubuntu-latest
20+
steps:
21+
- name: Checkout repository
22+
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
23+
with:
24+
persist-credentials: false
25+
26+
- name: Create zizmor configuration
27+
run: |
28+
cat > .zizmor-shared.yml <<'YAML'
29+
rules:
30+
unpinned-uses:
31+
config:
32+
policies:
33+
"yiisoft/*": any
34+
YAML
35+
36+
- name: Run zizmor
37+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
38+
with:
39+
advanced-security: false
40+
annotations: true
41+
config: .zizmor-shared.yml
42+
inputs: .github
43+
min-severity: high
44+
persona: 'pedantic'

0 commit comments

Comments
 (0)