From 3d8b9fef4f5ffcbdb78fd935df82636a9bfe582d Mon Sep 17 00:00:00 2001 From: Naji Obeid Date: Fri, 3 Jan 2025 15:35:28 +0000 Subject: [PATCH 1/3] integrate zizmor in github actions --- .github/workflows/release.yml | 3 ++- .github/workflows/rubocop.yml | 2 ++ .github/workflows/test.yml | 1 + .github/workflows/zizmor.yml | 36 +++++++++++++++++++++++++++++++++++ 4 files changed, 41 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 63290c7..425796b 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,10 +19,11 @@ jobs: id-token: write steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Ruby uses: ruby/setup-ruby@v1 with: - bundler-cache: true ruby-version: ruby - uses: rubygems/release-gem@v1 diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml index 7cacecc..726d096 100644 --- a/.github/workflows/rubocop.yml +++ b/.github/workflows/rubocop.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ruby/setup-ruby@v1 with: ruby-version: 3.4 diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 0d289c0..509afe9 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -29,6 +29,7 @@ jobs: - uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - uses: ruby/setup-ruby@v1 with: ruby-version: ${{ matrix.version }} diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..d915605 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor From e8c7c160baae427b913d22e190b60eb1e990cd13 Mon Sep 17 00:00:00 2001 From: Naji Obeid Date: Tue, 7 Jan 2025 21:24:19 +0000 Subject: [PATCH 2/3] change zizmor output format to report warnings --- .github/workflows/zizmor.yml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index d915605..c09cf12 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -23,14 +23,10 @@ jobs: - name: Install the latest version of uv uses: astral-sh/setup-uv@v5 + with: + enable-cache: false - name: Run zizmor - run: uvx zizmor --format sarif . > results.sarif + run: uvx zizmor --format plain . env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: results.sarif - category: zizmor From dc5ddb0874dd5ec20c50780b259f5aa6d668d03b Mon Sep 17 00:00:00 2001 From: Naji Obeid Date: Wed, 8 Jan 2025 15:07:48 +0000 Subject: [PATCH 3/3] reference ruby v1 branch in gh action --- .github/workflows/release.yml | 9 +++++++-- .github/workflows/rubocop.yml | 6 +++++- .github/workflows/test.yml | 6 +++++- 3 files changed, 17 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 425796b..0b7b466 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -21,9 +21,14 @@ jobs: - uses: actions/checkout@v4 with: persist-credentials: false + + # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces. + # specify that we want the v1 branch. - name: Set up Ruby - uses: ruby/setup-ruby@v1 + uses: ruby/setup-ruby@refs/heads/v1 with: ruby-version: ruby - - uses: rubygems/release-gem@v1 + # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces. + # specify that we want the v1 branch. + - uses: rubygems/release-gem@refs/heads/v1 diff --git a/.github/workflows/rubocop.yml b/.github/workflows/rubocop.yml index 726d096..82700df 100644 --- a/.github/workflows/rubocop.yml +++ b/.github/workflows/rubocop.yml @@ -13,8 +13,12 @@ jobs: - uses: actions/checkout@v4 with: persist-credentials: false - - uses: ruby/setup-ruby@v1 + + # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces. + # specify that we want the v1 branch. + - uses: ruby/setup-ruby@refs/heads/v1 with: ruby-version: 3.4 + - run: bundle install - run: bundle exec rake -t rubocop diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 509afe9..e06bc3d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -30,8 +30,12 @@ jobs: with: submodules: true persist-credentials: false - - uses: ruby/setup-ruby@v1 + + # zizmor complains that 'v1' is a ref that can be provided by both the branch and tag namespaces. + # specify that we want the v1 branch. + - uses: ruby/setup-ruby@refs/heads/v1 with: ruby-version: ${{ matrix.version }} + - run: bundle install - run: bundle exec rake -t spec