Add zizmor checks

The actions are nothing complicated so there should be limited to no risk, but better safe than sorry, and zizmor seems to run really fast so probably not any sort of bottleneck.
ua-parser · Dec 22, 2024 · 67ed305 · 67ed305
1 parent 2aacc8d
commit 67ed305
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 0 deletions.
diff --git a/.github/workflows/py-checks.yml b/.github/workflows/py-checks.yml
@@ -13,6 +13,8 @@ jobs:
     steps:
     - name: Checkout working copy
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: ruff check
       uses: chartboost/ruff-action@v1
       with:

diff --git a/.github/workflows/py-tests.yml b/.github/workflows/py-tests.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
@@ -79,6 +81,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}

diff --git a/.github/workflows/pyo3-wheels.yml b/.github/workflows/pyo3-wheels.yml
@@ -57,6 +57,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
@@ -79,6 +81,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Build sdist
         uses: PyO3/maturin-action@v1
         with:
@@ -140,6 +144,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:

diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -13,6 +13,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - run: cargo fmt --check
     - if: always()
       run: cargo clippy
@@ -24,6 +26,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         submodules: true
+        persist-credentials: false
     - run: cargo check
     - run: cargo test -r --verbose
 
@@ -35,5 +38,6 @@ jobs:
     - uses: actions/checkout@v4
       with:
         submodules: true
+        persist-credentials: false
     - run: cargo update --verbose
     - run: cargo test -r --verbose
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,29 @@
+name: Zizmor
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v4
+      - name: Run zizmor
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor