From a0d950195064a8b752f550c6f61e450fb043a0ec Mon Sep 17 00:00:00 2001 From: Thomas De Meyer Date: Tue, 28 Apr 2026 10:49:48 +0200 Subject: [PATCH 1/5] Add pinact and zizmor workflow checks --- .github/workflows/changie.yaml | 4 ++-- .github/workflows/pinact.yaml | 30 ++++++++++++++++++++++++++++++ .github/workflows/zizmor.yaml | 29 +++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/pinact.yaml create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/changie.yaml b/.github/workflows/changie.yaml index 7ab6bea..7aa517e 100644 --- a/.github/workflows/changie.yaml +++ b/.github/workflows/changie.yaml @@ -15,11 +15,11 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout - uses: actions/checkout@v3 + uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0 with: fetch-depth: 0 - name: Prepare release - uses: labd/changie-release-action@v0.2.0 + uses: labd/changie-release-action@767b033c5eeef3070b58796aab052c3077873371 # v0.2.0 with: github-token: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/pinact.yaml b/.github/workflows/pinact.yaml new file mode 100644 index 0000000..01f5744 --- /dev/null +++ b/.github/workflows/pinact.yaml @@ -0,0 +1,30 @@ +name: Pinact + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + paths: + - ".github/workflows/**" + - ".github/actions/**" + +permissions: {} + +jobs: + pinact: + # Only run on pull requests from the same repository + if: github.event.pull_request.head.repo.full_name == github.repository + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Pin actions + uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0 + with: + skip_push: true + verify: true + min_age: 7 diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..8d83fe1 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,29 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + paths: + - ".github/workflows/**" + - ".github/actions/**" + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + contents: read # Only needed for private repos. Needed to clone the repo. + actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From fd35c144bd7487783db2471d81086a5689baa12f Mon Sep 17 00:00:00 2001 From: Thomas De Meyer Date: Tue, 28 Apr 2026 11:08:25 +0200 Subject: [PATCH 2/5] Update zizmor workflow: disable advanced-security, enable annotations --- .github/workflows/zizmor.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 8d83fe1..b837cda 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -16,9 +16,8 @@ jobs: name: Run zizmor runs-on: ubuntu-latest permissions: - security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. - contents: read # Only needed for private repos. Needed to clone the repo. - actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + contents: read + actions: read steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 @@ -27,3 +26,6 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + advanced-security: false + annotations: true From f6c594976151e24242633063b70a4b865e6e1bfe Mon Sep 17 00:00:00 2001 From: Thomas De Meyer Date: Tue, 28 Apr 2026 11:15:01 +0200 Subject: [PATCH 3/5] Set zizmor min-severity to medium --- .github/workflows/zizmor.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index b837cda..a1e97ba 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -29,3 +29,4 @@ jobs: with: advanced-security: false annotations: true + min-severity: medium From aa647e942ed2622683a7c77f191b90707dd402f6 Mon Sep 17 00:00:00 2001 From: Thomas De Meyer Date: Tue, 28 Apr 2026 11:27:46 +0200 Subject: [PATCH 4/5] Set zizmor min-severity to high --- .github/workflows/zizmor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index a1e97ba..c4ee23b 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -29,4 +29,4 @@ jobs: with: advanced-security: false annotations: true - min-severity: medium + min-severity: high From 2994ea25efcfd9f2f7585818496560e48b6c2301 Mon Sep 17 00:00:00 2001 From: Thomas De Meyer Date: Tue, 28 Apr 2026 11:30:12 +0200 Subject: [PATCH 5/5] chore: change zizmor name --- .github/workflows/zizmor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index c4ee23b..8e6493b 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -1,4 +1,4 @@ -name: GitHub Actions Security Analysis with zizmor +name: Zizmor on: push: