-
Notifications
You must be signed in to change notification settings - Fork 10
128 lines (114 loc) · 3.66 KB
/
periodic-zizmor.yaml
File metadata and controls
128 lines (114 loc) · 3.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
name: Periodic Zizmor
permissions: {}
on:
schedule:
# Set to run once a day at 10:00 UTC
- cron: "0 10 * * *"
pull_request:
branches:
- main
jobs:
zizmor:
name: Run zizmor
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
strategy:
matrix:
repository:
# - owner: grafana
# repo: grafana
# - owner: grafana
# repo: loki
# - owner: grafana
# repo: tempo
# - owner: grafana
# repo: mimir
- owner: grafana
repo: security-github-actions
ref: main
env:
ZIZMOR_VERSION: 1.6.0
MIN_SEVERITY: high
MIN_CONFIDENCE: low
steps:
- name: Checkout
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Get GitHub App Secrets
uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.2.0
with:
common_secrets: |
ZIZMOR_APP_ID=zizmor:app-id
ZIZMOR_PRIVATE_KEY=zizmor:private-key
- name: Authenticate App With GitHub
uses: actions/create-github-app-token@v2
id: get-token
with:
app-id: ${{ env.ZIZMOR_APP_ID }}
private-key: ${{ env.ZIZMOR_PRIVATE_KEY }}
owner: ${{ matrix.repository.owner }}
repositories: |
${{ matrix.repository.repo }}
- name: Checkout Target
uses: actions/checkout@v4
with:
repository: ${{ matrix.repository.owner }}/${{ matrix.repository.repo }}
token: ${{ steps.get-token.outputs.token }}
path: target
fetch-depth: 0
ref: ${{ matrix.repository.ref }}
- name: Setup UV
uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1
with:
enable-cache: true
activate-environment: true
cache-suffix: ${{ env.ZIZMOR_VERSION }}
cache-dependency-glob: ""
- name: Run zizmor
env:
ZIZMOR_CACHE_DIR: ${{ runner.temp }}/.cache/zizmor
REPOSITORY: ${{ matrix.repository.owner }}/${{ matrix.repository.repo }}
GH_TOKEN: ${{ steps.get-token.outputs.token }}
shell: sh
run: >-
uvx zizmor@"${ZIZMOR_VERSION}"
--format sarif
--min-severity "${MIN_SEVERITY}"
--min-confidence "${MIN_CONFIDENCE}"
--config .github/zizmor.yml
./target
> results.sarif
- name: Repository Info
id: repo-info
working-directory: ./target
run: |
SHA=$(git rev-parse HEAD)
echo "sha=${SHA}" >> $GITHUB_OUTPUT
- name: Prepare SARIF results
id: prepare-sarif
run: |
RESULTS=$(gzip -c results.sarif | base64 -w 0)
echo "results=${RESULTS}" >> $GITHUB_OUTPUT
- name: Upload SARIF results
uses: actions/github-script@v7
env:
OWNER: ${{ matrix.repository.owner }}
REPO: ${{ matrix.repository.repo }}
SHA: ${{ steps.repo-info.outputs.sha }}
REF: refs/heads/${{ matrix.repository.ref }}
SARIF_RESULTS: ${{ steps.prepare-sarif.outputs.results }}
with:
github-token: ${{ steps.get-token.outputs.token }}
script: |
const { OWNER, REPO, SHA, REF, SARIF_RESULTS } = process.env;
const response = await github.rest.codeScanning.uploadSarif({
owner: OWNER,
repo: REPO,
commit_sha: SHA,
ref: REF,
sarif: SARIF_RESULTS,
});
console.log(response.status);