From 8cffde0ba6d481803673f891b5431f5af4f2f153 Mon Sep 17 00:00:00 2001 From: Lukasz Date: Fri, 16 Jan 2026 18:48:24 +0100 Subject: [PATCH] feat: add zizmor workflow checks for GitHub Actions --- .github/workflows/zizmor.yaml | 55 +++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 000000000..d759befaa --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,55 @@ +name: GitHub Actions Security Analysis (zizmor) + +on: + pull_request: + branches: ["**"] + paths: + - ".github/workflows/**" + push: + branches: ["main"] + paths: + - ".github/workflows/**" + workflow_dispatch: + +permissions: {} + +jobs: + zizmor_pr_blocking: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + permissions: + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + + - name: Run zizmor (blocking, HIGH only) + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 + with: + advanced-security: false + annotations: true + min-severity: high + inputs: | + .github/workflows + + zizmor_main_sarif: + if: github.event_name != 'pull_request' + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 + with: + persist-credentials: false + + - name: Run zizmor (SARIF) + uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 + with: + inputs: | + .github/workflows