Merge branch 'main' into Xe/MakefileXe/Makefile

Signed-off-by: Xe Iaso <me@xeiaso.net>

5 files changed, 45 insertions, 2 deletions

diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml
index b124f75..03539f7 100644
--- a/.github/workflows/docker-pr.yml
+++ b/.github/workflows/docker-pr.yml
@@ -19,6 +19,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
@@ -62,4 +63,6 @@ jobs:
 
       - run: |
           echo "Test this with:"
-          echo "docker pull ${{ steps.build.outputs.docker_image }}"
\ No newline at end of file
+          echo "docker pull ${DOCKER_IMAGE}"
+        env:
+          DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index c3a532f..d094453 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -25,6 +25,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml
index 1636c48..652351f 100644
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -17,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 09b543a..0be7b37 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: build essential
       run: |
@@ -57,7 +59,7 @@ jobs:
           ${{ runner.os }}-golang-
 
     - name: Cache playwright binaries
-      uses: actions/cache@v3
+      uses: actions/cache@v4
       id: playwright-cache
       with:
         path: |
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..c2a03ab
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,35 @@
+name: zizmor
+
+on:
+    push:
+      paths:
+        - '.github/workflows/*.ya?ml'
+    pull_request:
+      paths:
+        - '.github/workflows/*.ya?ml'
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor