diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..aa8259d --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,24 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 diff --git a/git-clone/action.yml b/git-clone/action.yml index 2b8b742..338fb25 100644 --- a/git-clone/action.yml +++ b/git-clone/action.yml @@ -12,7 +12,7 @@ runs: using: "composite" steps: - name: Install uv - uses: astral-sh/setup-uv@v5 + uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 - name: Run cloning script shell: bash env: diff --git a/setup-deploy/action.yml b/setup-deploy/action.yml index accdf65..d8dbfda 100644 --- a/setup-deploy/action.yml +++ b/setup-deploy/action.yml @@ -19,16 +19,19 @@ runs: using: "composite" steps: - name: Clone ${{ inputs.repo }} repository - uses: actions/checkout@v4 + uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4 with: token: ${{ inputs.git-pat }} path: ${{ inputs.repo }} + persist-credentials: false - name: Load environment variables from ${{ inputs.deps-version-file }} file shell: bash run: | # grep -v '^#' ignores comment lines # grep -v '^$' ignores empty lines - grep -v '^#' ${{ inputs.deps-version-file }} | grep -v '^$' >> $GITHUB_ENV + grep -v '^#' ${INPUTS_DEPS_VERSION_FILE} | grep -v '^$' >> $GITHUB_ENV + env: + INPUTS_DEPS_VERSION_FILE: ${{ inputs.deps-version-file }} - name: Clone edh-catalogue-api and edh-catalogue-manager repositories uses: bopen/ci-cd/git-clone@main with: