fix(security): pin reusable-zizmor to fork SHA for code scanning #818
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: zizmor GitHub Actions static analysis | |
| on: | |
| push: | |
| pull_request: | |
| types: | |
| - edited | |
| - opened | |
| - ready_for_review | |
| - synchronize | |
| - reopened | |
| merge_group: | |
| types: [checks_requested] | |
| jobs: | |
| zizmor-check: | |
| name: Check whether there are things to scan | |
| permissions: | |
| contents: read | |
| runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }} | |
| outputs: | |
| found-files: ${{ steps.zizmor-check.outputs.found-files }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5 | |
| - name: Run zizmor | |
| id: zizmor-check | |
| shell: bash | |
| run: | | |
| FOUND_FILES=false | |
| SEARCH=$(find . -path "**/.github/workflows/*.yml" -o -path "**/.github/workflows/*.yaml" -o -path "**/action.yml" -o -path "**/action.yaml") | |
| if [ -n "$SEARCH" ]; then | |
| FOUND_FILES=true | |
| fi | |
| echo "found-files=${FOUND_FILES}" >> $GITHUB_OUTPUT | |
| zizmor: | |
| name: Run zizmor | |
| permissions: | |
| actions: read | |
| contents: read | |
| id-token: write | |
| pull-requests: write | |
| security-events: write | |
| needs: | |
| - zizmor-check | |
| if: ${{ needs.zizmor-check.outputs.found-files == 'true' }} | |
| # Testing security-appsec#326: reusable with optional .github/zizmor-collection-ignore. Point org rulesets at | |
| # branch test/zizmor-vendor-excludes-326 to validate; replace with grafana/shared-workflows@<merge SHA> for main. | |
| # Pinned to fork SHA (not a branch ref) to satisfy code scanning unpinned-reusable-workflow rules; bump when testing new commits. | |
| uses: isaiah-grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@ca9579cb3a5b072b4f75af091380536c01131610 | |
| with: | |
| runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }} | |
| # Pilot branch: only fail on critical so high-severity zizmor findings do not block ruleset/PR testing (#326). | |
| # Revert to high when swapping uses: back to grafana/shared-workflows@<merge SHA> on main. | |
| fail-severity: critical | |
| min-severity: high | |
| min-confidence: low | |
| extra-args: --offline | |
| # Reusable workflow gates bench job on org + non-fork PR (OIDC/Vault not available on fork PRs); pass true to opt in. | |
| send-bench-metrics: true | |
| secrets: inherit |