diff --git a/.github/workflows/ci_file_health.yaml b/.github/workflows/ci_file_health.yaml index fb5cb44e6..48bc52f59 100644 --- a/.github/workflows/ci_file_health.yaml +++ b/.github/workflows/ci_file_health.yaml @@ -12,11 +12,15 @@ jobs: ci: name: Check runs-on: ubuntu-latest + permissions: + security-events: write steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - - name: Install tools + - name: Setup python uses: actions/setup-python@v5 with: python-version: "*" @@ -42,3 +46,26 @@ jobs: done # check diff, ignore "Automatically generated by ..." part git diff -I '\.\\".*' --exit-code + + - name: Check GitHub Actions workflow + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + pip install zizmor + IGNORE_RULEID='(.ruleId != "template-injection") + and (.ruleId != "unpinned-uses")' + IGNORE_ID='(.id != "template-injection") + and (.id != "unpinned-uses")' + zizmor \ + --format sarif \ + --pedantic \ + ./ \ + | jq "(.runs[].results |= map(select($IGNORE_RULEID))) + | (.runs[].tool.driver.rules |= map(select($IGNORE_ID)))" \ + > "${{ runner.temp }}/zizmor_results.sarif" + + - name: Upload zizmor results + uses: github/codeql-action/upload-sarif@v3 + with: + category: zizmor + sarif_file: "${{ runner.temp }}/zizmor_results.sarif" diff --git a/.github/workflows/ci_macos.yaml b/.github/workflows/ci_macos.yaml index 216d3a2fd..9a0c30225 100644 --- a/.github/workflows/ci_macos.yaml +++ b/.github/workflows/ci_macos.yaml @@ -2,8 +2,7 @@ name: CI - macOS on: [pull_request, push] -permissions: - actions: write +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -13,6 +12,8 @@ jobs: ci: name: Build runs-on: macos-latest + permissions: + actions: write strategy: fail-fast: false @@ -28,6 +29,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies uses: Wandalen/wretry.action@v3 diff --git a/.github/workflows/ci_python.yaml b/.github/workflows/ci_python.yaml index e3183da5a..871614dad 100644 --- a/.github/workflows/ci_python.yaml +++ b/.github/workflows/ci_python.yaml @@ -16,6 +16,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup python (auxiliary scripts) uses: actions/setup-python@v5 diff --git a/.github/workflows/ci_ubuntu.yaml b/.github/workflows/ci_ubuntu.yaml index bb47d5724..6e4d88fa1 100644 --- a/.github/workflows/ci_ubuntu.yaml +++ b/.github/workflows/ci_ubuntu.yaml @@ -2,9 +2,7 @@ name: CI - Ubuntu on: [pull_request, push] -permissions: - actions: write - security-events: write +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -14,6 +12,9 @@ jobs: ci: name: Build runs-on: ubuntu-latest + permissions: + actions: write + security-events: write strategy: fail-fast: false @@ -30,6 +31,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies run: | diff --git a/.github/workflows/ci_webui.yaml b/.github/workflows/ci_webui.yaml index 2c9d87f4b..a5bc1115a 100644 --- a/.github/workflows/ci_webui.yaml +++ b/.github/workflows/ci_webui.yaml @@ -2,8 +2,7 @@ name: CI - WebUI on: [pull_request, push] -permissions: - security-events: write +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -13,6 +12,8 @@ jobs: ci: name: Check runs-on: ubuntu-latest + permissions: + security-events: write defaults: run: @@ -21,6 +22,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup nodejs uses: actions/setup-node@v4 diff --git a/.github/workflows/ci_windows.yaml b/.github/workflows/ci_windows.yaml index 7d51381bf..ce3b7de38 100644 --- a/.github/workflows/ci_windows.yaml +++ b/.github/workflows/ci_windows.yaml @@ -2,8 +2,7 @@ name: CI - Windows on: [pull_request, push] -permissions: - actions: write +permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} @@ -13,6 +12,8 @@ jobs: ci: name: Build runs-on: windows-latest + permissions: + actions: write strategy: fail-fast: false @@ -27,6 +28,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup devcmd uses: ilammy/msvc-dev-cmd@v1 diff --git a/.github/workflows/coverity-scan.yaml b/.github/workflows/coverity-scan.yaml index 9b6e9e8ff..dae137238 100644 --- a/.github/workflows/coverity-scan.yaml +++ b/.github/workflows/coverity-scan.yaml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install dependencies run: | diff --git a/.github/workflows/stale_bot.yaml b/.github/workflows/stale_bot.yaml index 6cd727855..705f6a5c9 100644 --- a/.github/workflows/stale_bot.yaml +++ b/.github/workflows/stale_bot.yaml @@ -4,12 +4,13 @@ on: schedule: - cron: '0 0 * * *' -permissions: - pull-requests: write +permissions: {} jobs: stale: runs-on: ubuntu-latest + permissions: + pull-requests: write steps: - name: Mark and close stale PRs uses: actions/stale@v9