github/zizmor: add action that checks actions security

This should give us some "Code scanning" alerts when GitHub workflows are implemented poorly. Note that the backport action will trigger an alert, due to the fact that we have to use `pull_request_target`, which is inherently hard to use securely. Inspired by: https://woodruffw.github.io/zizmor/usage/#use-in-github-actions
epics-extensions · Nov 27, 2024 · bd0290f · bd0290f
1 parent 5317be2
commit bd0290f
Showing 1 changed file with 33 additions and 0 deletions.
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,33 @@
+# Inspired by:
+# https://woodruffw.github.io/zizmor/usage/#use-in-github-actions
+
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: cachix/install-nix-action@3715ab1a11cac9e991980d7b4a28d80c7ebdd8f9 # v27
+      - name: Run zizmor 🌈
+        run: nix run 'nixpkgs#zizmor' -- --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
+        with:
+          sarif_file: results.sarif
+          category: zizmor