diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fa727795f..8fac4f701 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,9 @@ on: tags: - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10 +permissions: + contents: write + jobs: ci: permissions: @@ -17,6 +20,8 @@ jobs: create_release: name: Create Release + permissions: + contents: write needs: ci runs-on: ubuntu-latest env: @@ -31,9 +36,11 @@ jobs: steps: - name: Is Pre-release id: is_prerelease + env: + REF: ${{ github.ref }} run: | set +e - echo ${{ github.ref }} | grep "\-rc.*" + echo "${REF}" | grep "\-rc.*" OUT=$? if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}" @@ -106,6 +113,8 @@ jobs: update_reference_docs: name: Update Reference Docs + permissions: + contents: read runs-on: ubuntu-latest needs: create_release if: needs.create_release.outputs.is_prerelease == 'false' diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..0057146c4 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,17 @@ +name: Zizmor security scan +on: + push: + workflow_call: + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +permissions: + contents: read + security-events: write + +jobs: + zizmor: + uses: smallstep/workflows/.github/workflows/zizmor.yml@main + secrets: inherit diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..92a614677 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +rules: + unpinned-uses: + config: + policies: + "smallstep/*": ref-pin + secrets-inherit: + disable: true + ref-confusion: + disable: true + dangerous-triggers: + ignore: + - triage.yml