build(deps): bump the dependencies group with 2 updates #67
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI Guardrails | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| pull_request: | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| permissions: {} | |
| jobs: | |
| zizmor: | |
| name: Analyze (Zizmor) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # Required to create code scanning alerts | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| disable-sudo-and-containers: false # needed for Zizmor's use of Docker | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| ghcr.io:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 | |
| poutine: | |
| name: Analyze (Poutine) | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # Required to create code scanning alerts | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| github.com:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Load pinned tool versions | |
| id: versions | |
| run: | | |
| poutine="$(jq -r '.poutine' .github/tools/versions.json)" | |
| echo "poutine=${poutine}" >> "$GITHUB_OUTPUT" | |
| - name: Install poutine | |
| env: | |
| VERSION: ${{ steps.versions.outputs.poutine }} | |
| run: | | |
| curl -sSfL "https://github.com/boostsecurityio/poutine/releases/download/v${VERSION}/poutine_Linux_x86_64.tar.gz" \ | |
| | tar -xzf - -C /usr/local/bin poutine | |
| - name: Run poutine | |
| id: poutine | |
| continue-on-error: true | |
| run: | | |
| # poutine emits an all-zero GUID that fails GitHub's UUID validation; | |
| # pipe through jq to replace it with a valid RFC-4122 nil-equivalent. | |
| poutine analyze_local "${GITHUB_WORKSPACE}" -f sarif \ | |
| | jq '(.runs[].tool.driver.supportedTaxonomies[] | select(.guid == "00000000-0000-0000-0000-000000000000")).guid = "00000000-0000-1000-8000-000000000000"' \ | |
| > poutine_results.sarif | |
| - name: Upload poutine SARIF file | |
| uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 | |
| with: | |
| sarif_file: poutine_results.sarif | |
| - name: Fail if poutine reported findings | |
| if: steps.poutine.outcome == 'failure' | |
| run: poutine analyze_local "${GITHUB_WORKSPACE}" | |
| trufflehog: | |
| name: Analyze (TruffleHog) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| disable-sudo-and-containers: false # needed for TruffleHog's use of Docker | |
| egress-policy: block | |
| allowed-endpoints: > | |
| ghcr.io:443 | |
| github.com:443 | |
| pkg-containers.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Load pinned tool versions | |
| id: versions | |
| run: | | |
| trufflehog="$(jq -r '.trufflehog' .github/tools/versions.json)" | |
| echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT" | |
| - name: Run TruffleHog | |
| uses: trufflesecurity/trufflehog@041f07e9df901a1038a528e5525b0226d04dd5ea # v3.93.6 | |
| with: | |
| extra_args: --results=verified,unknown | |
| version: ${{ steps.versions.outputs.trufflehog }} | |
| pom-consistency: | |
| name: Analyze (POM Consistency) | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| api.github.com:443 | |
| files.pythonhosted.org:443 | |
| github.com:443 | |
| pypi.org:443 | |
| release-assets.githubusercontent.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Set up uv | |
| uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1 | |
| - name: Check plugin version consistency | |
| run: uv run --project .github/tools --group python-common python3 .github/scripts/check-pom-consistency.py | |
| hook-coverage: | |
| name: Validate Hook Coverage Mapping | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Validate hook coverage mapping | |
| run: python3 .github/scripts/check-hook-coverage.py | |
| hook-revisions-frozen: | |
| name: Validate Hook Revisions Are Frozen | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1 | |
| with: | |
| disable-sudo-and-containers: true | |
| egress-policy: block | |
| allowed-endpoints: > | |
| github.com:443 | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Validate hook revisions are frozen | |
| run: python3 .github/scripts/check-hook-revisions-frozen.py |