From 78a81960e390746bad6d393a5598783cd494e7ad Mon Sep 17 00:00:00 2001 From: Thomas de Meyer Date: Tue, 28 Apr 2026 14:57:52 +0200 Subject: [PATCH 1/2] Add pinact and zizmor workflow checks --- .github/workflows/ci.yml | 12 +++++------ .github/workflows/pinact.yaml | 32 +++++++++++++++++++++++++++++ .github/workflows/release.yml | 19 +++++++++-------- .github/workflows/release_maven.yml | 8 ++++---- .github/workflows/zizmor.yaml | 32 +++++++++++++++++++++++++++++ 5 files changed, 85 insertions(+), 18 deletions(-) create mode 100644 .github/workflows/pinact.yaml create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 38fdb0a1..14c2a8be 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -14,10 +14,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '11' @@ -27,7 +27,7 @@ jobs: - run: ./scripts/install_local.sh - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: path: test persist-credentials: 'false' @@ -43,16 +43,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '11' - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" diff --git a/.github/workflows/pinact.yaml b/.github/workflows/pinact.yaml new file mode 100644 index 00000000..2ae23a34 --- /dev/null +++ b/.github/workflows/pinact.yaml @@ -0,0 +1,32 @@ +name: Pinact + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + paths: + - ".github/workflows/**" + - ".github/actions/**" + +permissions: {} + +jobs: + pinact: + # Only run on pull requests from the same repository + if: github.event.pull_request.head.repo.full_name == github.repository + runs-on: ubuntu-latest + permissions: + contents: read + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Pin actions + uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0 + with: + skip_push: true + verify: true + min_age: 7 diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 7131f69d..b2c1b5ea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -19,10 +19,10 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '11' @@ -36,21 +36,24 @@ jobs: GRADLE_PUBLISH_SECRET: ${{ secrets.GRADLE_PUBLISH_SECRET }} - name: Build and Release - run: ./gradlew -Pversion=${{ github.ref_name }} clean check publishMavenPublicationToSonatype closeAndReleaseSonatypeStagingRepository + run: ./gradlew -Pversion="${VERSION}" clean check publishMavenPublicationToSonatype closeAndReleaseSonatypeStagingRepository env: + VERSION: ${{ github.ref_name }} SONATYPE_USERNAME: ${{ secrets.SONATYPE_USERNAME }} SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" - name: Build NPM package run: | - ./gradlew -Pversion=${{ github.ref_name }} tools:cli-application:shadowJar + ./gradlew -Pversion="${VERSION}" tools:cli-application:shadowJar cp rmf-codegen.jar node/rmf-codegen/bin + env: + VERSION: ${{ github.ref_name }} - name: Creating .npmrc run: | @@ -77,12 +80,12 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 with: ref: main - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" @@ -90,7 +93,7 @@ jobs: working-directory: node/rmf-codegen run: yarn version --no-git-tag-version --minor - - uses: stefanzweifel/git-auto-commit-action@v4.6.0 + - uses: stefanzweifel/git-auto-commit-action@5c9bfe7477fd67ca1ffc9fed4a69fb7a6a46dcfe # v4.6.0 with: file_pattern: "node/rmf-codegen/package.json" commit_message: "Bump codegen version" diff --git a/.github/workflows/release_maven.yml b/.github/workflows/release_maven.yml index 602a5ed0..b1fd0e16 100644 --- a/.github/workflows/release_maven.yml +++ b/.github/workflows/release_maven.yml @@ -18,16 +18,16 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Setup Java - uses: actions/setup-java@v4 + uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0 with: distribution: 'temurin' java-version: '11' - name: Setup Node - uses: actions/setup-node@v4 + uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version: "18" @@ -45,7 +45,7 @@ jobs: SONATYPE_PASSWORD: ${{ secrets.SONATYPE_PASSWORD }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - uses: stefanzweifel/git-auto-commit-action@v4.6.0 + - uses: stefanzweifel/git-auto-commit-action@5c9bfe7477fd67ca1ffc9fed4a69fb7a6a46dcfe # v4.6.0 with: file_pattern: "scripts/install.sh" commit_message: "TASK: Updating version in README" diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 00000000..8e6493b9 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,32 @@ +name: Zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + paths: + - ".github/workflows/**" + - ".github/actions/**" + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + advanced-security: false + annotations: true + min-severity: high From b9c03a8f86382e7a0a042af7f052f457c42ccc2a Mon Sep 17 00:00:00 2001 From: Thomas de Meyer Date: Tue, 28 Apr 2026 14:59:31 +0200 Subject: [PATCH 2/2] Add min-confidence filter to zizmor workflow to skip low-confidence false positives --- .github/workflows/zizmor.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 8e6493b9..3453502a 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -30,3 +30,4 @@ jobs: advanced-security: false annotations: true min-severity: high + min-confidence: medium