Add zizmor github actions security analysis workflow #1813
Conversation
notmandatory
requested review from
ValuedMammal
and removed request for
ValuedMammal
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
notmandatory
changed the title
notmandatory
force-pushed
the
ci/zizmor
branch
from
42bcf95 to
95e53d0
Compare
|
Rebased on updated and merged #1778 ready to review and merge, zizmor finds no issues now. |
| contents: read | ||
| actions: read |
There was a problem hiding this comment.
As this is a public repo, this could be removed ?
| - name: Install the latest version of uv | ||
| uses: astral-sh/setup-uv@v5 | ||
|
|
||
| - name: Run zizmor 🌈 | ||
| run: uvx zizmor --format sarif . > results.sarif | ||
| env: | ||
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
I like the idea of having a zizmor job, however, I'm wondering if there's another simpler/safer way to run it, instead of bringing this new action (setup-uv) AFAICT just for the python package manager 🤔
Description
Added workflow to run zizmor github actions security analysis.
See: https://woodruffw.github.io/zizmor/usage/#use-in-github-actions
Notes to the reviewers
I built this PR on top of #1778.
Changelog notice
Checklists
All Submissions:
cargo fmtandcargo clippybefore committing