GHA CI: add checking for GHA workflows

PR #22200. --------- Co-authored-by: userdocs <16525024+userdocs@users.noreply.github.com>
2025-04-03 23:42:06 +08:00 · 2025-01-26 03:44:59 +08:00 · 2025-01-26 03:44:59 +08:00 · 3ef4d0d798
commit 3ef4d0d798
parent e2341f5217
8 changed files with 56 additions and 12 deletions
--- a/.github/workflows/ci_file_health.yaml
+++ b/.github/workflows/ci_file_health.yaml
@ -12,11 +12,15 @@ jobs:
  ci:
    name: Check
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

-      - name: Install tools
+      - name: Setup python
        uses: actions/setup-python@v5
        with:
          python-version: "*"
@ -42,3 +46,26 @@ jobs:
          done
          # check diff, ignore "Automatically generated by ..." part
          git diff -I '\.\\".*' --exit-code
+
+      - name: Check GitHub Actions workflow
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip install zizmor
+          IGNORE_RULEID='(.ruleId != "template-injection")
+            and (.ruleId != "unpinned-uses")'
+          IGNORE_ID='(.id != "template-injection")
+            and (.id != "unpinned-uses")'
+          zizmor \
+            --format sarif \
+            --pedantic \
+            ./ \
+            | jq "(.runs[].results |= map(select($IGNORE_RULEID)))
+              | (.runs[].tool.driver.rules |= map(select($IGNORE_ID)))" \
+            > "${{ runner.temp }}/zizmor_results.sarif"
+
+      - name: Upload zizmor results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: zizmor
+          sarif_file: "${{ runner.temp }}/zizmor_results.sarif"
--- a/.github/workflows/ci_macos.yaml
+++ b/.github/workflows/ci_macos.yaml
@ -2,8 +2,7 @@ name: CI - macOS

 on: [pull_request, push]

-permissions:
-  actions: write
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@ -13,6 +12,8 @@ jobs:
  ci:
    name: Build
    runs-on: macos-latest
+    permissions:
+      actions: write

    strategy:
      fail-fast: false
@ -28,6 +29,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - name: Install dependencies
        uses: Wandalen/wretry.action@v3
--- a/.github/workflows/ci_python.yaml
+++ b/.github/workflows/ci_python.yaml
@ -16,6 +16,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - name: Setup python (auxiliary scripts)
        uses: actions/setup-python@v5
--- a/.github/workflows/ci_ubuntu.yaml
+++ b/.github/workflows/ci_ubuntu.yaml
@ -2,9 +2,7 @@ name: CI - Ubuntu

 on: [pull_request, push]

-permissions:
-  actions: write
-  security-events: write
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@ -14,6 +12,9 @@ jobs:
  ci:
    name: Build
    runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      security-events: write

    strategy:
      fail-fast: false
@ -30,6 +31,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - name: Install dependencies
        run: |
--- a/.github/workflows/ci_webui.yaml
+++ b/.github/workflows/ci_webui.yaml
@ -2,8 +2,7 @@ name: CI - WebUI

 on: [pull_request, push]

-permissions:
-  security-events: write
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@ -13,6 +12,8 @@ jobs:
  ci:
    name: Check
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write

    defaults:
      run:
@ -21,6 +22,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - name: Setup nodejs
        uses: actions/setup-node@v4
--- a/.github/workflows/ci_windows.yaml
+++ b/.github/workflows/ci_windows.yaml
@ -2,8 +2,7 @@ name: CI - Windows

 on: [pull_request, push]

-permissions:
-  actions: write
+permissions: {}

 concurrency:
  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@ -13,6 +12,8 @@ jobs:
  ci:
    name: Build
    runs-on: windows-latest
+    permissions:
+      actions: write

    strategy:
      fail-fast: false
@ -27,6 +28,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - name: Setup devcmd
        uses: ilammy/msvc-dev-cmd@v1
--- a/.github/workflows/coverity-scan.yaml
+++ b/.github/workflows/coverity-scan.yaml
@ -26,6 +26,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

      - name: Install dependencies
        run: |
--- a/.github/workflows/stale_bot.yaml
+++ b/.github/workflows/stale_bot.yaml
@ -4,12 +4,13 @@ on:
  schedule:
    - cron: '0 0 * * *'

-permissions:
-  pull-requests: write
+permissions: {}

 jobs:
  stale:
    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
    steps:
      - name: Mark and close stale PRs
        uses: actions/stale@v9