ci: address lint findings, add zizmor workflow#262
Conversation
Signed-off-by: William Woodruff <william@astral.sh>
I misread this; the GITHUB_TOKEN is used for auth instead of the persisted credential. Signed-off-by: William Woodruff <william@astral.sh>
|
(Note: hash-pinning actions can seem quite noisy, but Dependabot will correctly update them (including the comments). Just in case you're worried about additional maintenance burden there!) |
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
Thanks @Swatinem! There shouldn't be any breakage with these changes, but if you have any at all please ping me and I'd be happy to help resolve them 🙂 (The most common problem people have is when |
Hi there!
First, I wanted to say thanks for creating and maintaining this action -- I use it both personally and professionally, and it's been a joy to use.
I'm filling this with a bunch of (small) security fixes, all of which were identified by zizmor, which I maintain. None of the findings were particularly severe or immediately exploitable, which is why I'm filing it without a private disclosure -- I think these would all be good to fix as a matter of defense-in-depth, but there's no significant urgency to them 🙂
To summarize:
uses:-- this makes the CI more hermetic, and makes it less likely that a security or reliability issue gets introduced in via a tag mutation.persist-credentials: falseto as manyactions/checkoutusages as possible -- this eliminates an implicitly persisted credential that GitHub Actions adds by default, which the overwhelming majority of workflows don't need.zizmor.ymlworkflow that'll run zizmor on every PR and push; it's integrated into GitHub's "Advanced Security" so that you'll get alerts on PRs that introduce potential issues. However, this is only if you want continuous scanning here; if you'd prefer to not have another thing in your CI, I'm happy to remove this step!