diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index df627eb..b850b42 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -15,6 +15,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 with: go-version-file: go.mod @@ -27,6 +30,9 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5 with: go-version-file: go.mod diff --git a/.github/workflows/licensing.yaml b/.github/workflows/licensing.yaml index fc51d23..20146b9 100644 --- a/.github/workflows/licensing.yaml +++ b/.github/workflows/licensing.yaml @@ -17,6 +17,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - run: sudo gem install license_finder - run: license_finder diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 71bce79..1daf031 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -30,6 +30,7 @@ jobs: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 with: fetch-depth: 0 + persist-credentials: false - name: Calculate new version with autotag id: autotag @@ -42,25 +43,8 @@ jobs: - name: Set up Docker Buildx uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 - - - name: Cache - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4 - id: cache - with: - path: | - go-pkg-mod - go-build - key: ${{ runner.os }}-go-cache-${{ hashFiles('**/go.sum') }}-v2 - - - name: inject go caches into docker - uses: reproducible-containers/buildkit-cache-dance@5b6db76d1da5c8b307d5d2e0706d266521b710de # v3.1.2 with: - cache-map: | - { - "go-pkg-mod": "/go/pkg/mod", - "go-build": "/root/.cache/go-build" - } - skip-extraction: ${{ steps.cache.outputs.cache-hit }} + cache-binary: false - name: Build and push uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6 diff --git a/.github/workflows/validate-renovate.yml b/.github/workflows/validate-renovate.yml index 965d367..7b3b31d 100644 --- a/.github/workflows/validate-renovate.yml +++ b/.github/workflows/validate-renovate.yml @@ -13,6 +13,8 @@ jobs: steps: - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false - uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4 with: diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..2d5d373 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a # v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 # v3 + with: + sarif_file: results.sarif + category: zizmor \ No newline at end of file