diff options
| author | Xe Iaso <me@xeiaso.net> | 2025-04-02 00:08:34 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-04-02 00:08:34 -0400 |
| commit | f3bee69849e5025f089d60b561c7d2fa7b916eb8 (patch) | |
| tree | a29df4c62d89124a3e7377fcc9e51610ab212e97 | |
| parent | 555aed5fb42ac8f404571f1202f2294ab3a4b6e8 (diff) | |
| parent | fc237a16900362eac5395a424d88fe6381b4affa (diff) | |
| download | anubis-f3bee69849e5025f089d60b561c7d2fa7b916eb8.tar.xz anubis-f3bee69849e5025f089d60b561c7d2fa7b916eb8.zip | |
Merge branch 'main' into Xe/yeet-binaries
Signed-off-by: Xe Iaso <me@xeiaso.net>
| -rw-r--r-- | .github/workflows/docker-pr.yml | 5 | ||||
| -rw-r--r-- | .github/workflows/docker.yml | 1 | ||||
| -rw-r--r-- | .github/workflows/docs-deploy.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/go.yml | 2 | ||||
| -rw-r--r-- | .github/workflows/zizmor.yml | 35 | ||||
| -rw-r--r-- | docs/docs/CHANGELOG.md | 2 |
6 files changed, 46 insertions, 1 deletions
diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml index b124f75..03539f7 100644 --- a/.github/workflows/docker-pr.yml +++ b/.github/workflows/docker-pr.yml @@ -19,6 +19,7 @@ jobs: with: fetch-tags: true fetch-depth: 0 + persist-credentials: false - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@master @@ -62,4 +63,6 @@ jobs: - run: | echo "Test this with:" - echo "docker pull ${{ steps.build.outputs.docker_image }}"
\ No newline at end of file + echo "docker pull ${DOCKER_IMAGE}" + env: + DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }} diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index c3a532f..d094453 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -25,6 +25,7 @@ jobs: with: fetch-tags: true fetch-depth: 0 + persist-credentials: false - name: Set up Homebrew uses: Homebrew/actions/setup-homebrew@master diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index 1636c48..652351f 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -17,6 +17,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml index 09b543a..3c333dd 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/go.yml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: build essential run: | diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..c2a03ab --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: zizmor + +on: + push: + paths: + - '.github/workflows/*.ya?ml' + pull_request: + paths: + - '.github/workflows/*.ya?ml' + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md index 56aec57..789ecf6 100644 --- a/docs/docs/CHANGELOG.md +++ b/docs/docs/CHANGELOG.md @@ -31,6 +31,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`. - Fixed minor typos - Added support for native Debian, Red Hat, and tarball packaging strategies including installation and use directions. +- Added `zizmor` for GitHub Actions static analysis +- Fixed most `zizmor` findings ## v1.15.1 |