Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Scan GitHub workflows with zizmor #50

Closed
ncoghlan opened this issue Oct 28, 2024 · 3 comments · Fixed by #57
Closed

Scan GitHub workflows with zizmor #50

ncoghlan opened this issue Oct 28, 2024 · 3 comments · Fixed by #57
Assignees
Labels
Category: Maintainability Proposed improvement to project maintainability CI (Automation) Continuous integration (and other automation)

Comments

@ncoghlan
Copy link
Collaborator

Static security analysis tool for GitHub action configs: https://github.com/woodruffw/zizmor

(discovered via one of the other Python core developers running it on the CPython repo and reporting the results)

@ncoghlan ncoghlan added CI (Automation) Continuous integration (and other automation) Category: Maintainability Proposed improvement to project maintainability labels Oct 28, 2024
@ncoghlan ncoghlan self-assigned this Oct 28, 2024
ncoghlan added a commit that referenced this issue Oct 29, 2024
Includes a small update to the launch modules in
the sample project so the PR generation for output
updates is tested with the updated workflow.

Addresses initial manual workflow scan for #50
@ncoghlan
Copy link
Collaborator Author

#51 addresses the initial scan result, but keeping this issue open as any change to the workflows should automatically re-run the scan and upload the SARIF results.

@ncoghlan
Copy link
Collaborator Author

ncoghlan commented Oct 29, 2024

#51 has been updated to also include an automated scan (as per woodruffw/zizmor#69)

ncoghlan added a commit that referenced this issue Oct 29, 2024
Address zizmor scan results, and set up a workflow
to scan them in CI after the repo has been published.

Includes a small update to the launch modules in
the sample project so the PR generation for output
updates has been tested with the updated workflow.

Implements most of #50
@ncoghlan
Copy link
Collaborator Author

While #51 mostly implemented this CI feature, it can only be fully resolved once the repository has been published:

ncoghlan added a commit that referenced this issue Oct 30, 2024
Repository is now public, so read permissions can be assumed.

Closes #50
ncoghlan added a commit that referenced this issue Oct 30, 2024
Repository is now public, so read permissions can be assumed.

Closes #50
ncoghlan added a commit that referenced this issue Oct 30, 2024
Repository is now public, so read permissions can be assumed.

Closes #50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Category: Maintainability Proposed improvement to project maintainability CI (Automation) Continuous integration (and other automation)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant