|
|
@@ -0,0 +1,56 @@
|
|
|
+name: Zizmor Actions Scanner
|
|
|
+
|
|
|
+on:
|
|
|
+ push:
|
|
|
+ branches:
|
|
|
+ - main
|
|
|
+ paths:
|
|
|
+ - '.github/workflows/**'
|
|
|
+ pull_request:
|
|
|
+ branches:
|
|
|
+ - main
|
|
|
+ paths:
|
|
|
+ - '.github/workflows/**'
|
|
|
+
|
|
|
+jobs:
|
|
|
+ detect-noop:
|
|
|
+ permissions:
|
|
|
+ actions: write # for fkirc/skip-duplicate-actions to skip or stop workflow runs
|
|
|
+ contents: read # for fkirc/skip-duplicate-actions to read and compare commits
|
|
|
+ runs-on: ubuntu-latest
|
|
|
+ outputs:
|
|
|
+ noop: ${{ steps.noop.outputs.should_skip }}
|
|
|
+ steps:
|
|
|
+ - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
|
+ with:
|
|
|
+ egress-policy: audit
|
|
|
+ - name: Detect No-op Changes
|
|
|
+ id: noop
|
|
|
+ uses: fkirc/skip-duplicate-actions@f75f66ce1886f00957d99748a42c724f4330bdcf # v5.3.1
|
|
|
+ with:
|
|
|
+ github_token: ${{ secrets.GITHUB_TOKEN }}
|
|
|
+ paths_ignore: '["**.md", "**.png", "**.jpg"]'
|
|
|
+ do_not_skip: '["workflow_dispatch", "schedule", "push"]'
|
|
|
+ concurrent_skipping: false
|
|
|
+
|
|
|
+ zizmor:
|
|
|
+ name: Run zizmor 🌈
|
|
|
+ runs-on: ubuntu-latest
|
|
|
+ needs: detect-noop
|
|
|
+ if: needs.detect-noop.outputs.noop != 'true'
|
|
|
+ permissions:
|
|
|
+ security-events: write
|
|
|
+ steps:
|
|
|
+ - name: Checkout repository
|
|
|
+ uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
+ with:
|
|
|
+ persist-credentials: false
|
|
|
+
|
|
|
+ - name: Run zizmor 🌈
|
|
|
+ uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
|
|
|
+ with:
|
|
|
+ inputs: |
|
|
|
+ .github/
|
|
|
+ token: ${{ github.token }}
|
|
|
+ # min-severity: medium
|
|
|
+ # min-confidence: medium
|
arielrahamim