From f95a9a3715f744f1a7a7827268319d33043d57a7 Mon Sep 17 00:00:00 2001 From: Andrew Haines Date: Fri, 1 May 2026 13:51:34 +0100 Subject: [PATCH] Audit GitHub Actions security Signed-off-by: Andrew Haines --- .github/workflows/publish.yaml | 10 +++++++--- .github/workflows/test.yaml | 34 ++++++++++------------------------ .github/workflows/zizmor.yaml | 30 ++++++++++++++++++++++++++++++ 3 files changed, 47 insertions(+), 27 deletions(-) create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml index 60d3e45..3508689 100644 --- a/.github/workflows/publish.yaml +++ b/.github/workflows/publish.yaml @@ -5,6 +5,10 @@ on: push: tags: - "*" +defaults: + run: + shell: bash +permissions: {} jobs: publish: runs-on: ubuntu-latest @@ -12,18 +16,18 @@ jobs: contents: read packages: write steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 persist-credentials: false - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: "17" distribution: "temurin" - name: Validate Gradle wrapper - uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6 + uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Publish package env: diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index bf03b86..c8511c3 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -4,6 +4,9 @@ on: pull_request: branches: - main +defaults: + run: + shell: bash permissions: {} jobs: testMatrix: @@ -16,18 +19,18 @@ jobs: java: ["17", "21"] name: "Java ${{ matrix.java }}" steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false - - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5 + - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0 with: java-version: "${{ matrix.java }}" distribution: "temurin" cache: "gradle" - name: Validate Gradle wrapper - uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6 + uses: gradle/actions/wrapper-validation@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0 - name: Run tests run: ./gradlew test @@ -39,34 +42,17 @@ jobs: - name: Store reports if: failure() - uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7 + uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 with: name: "Reports for Java ${{ matrix.java }}" path: |- **/build/reports/ **/build/test-results/ - afterTestMatrix: - runs-on: ubuntu-latest - needs: testMatrix - if: success() - outputs: - success: ${{ steps.setoutput.outputs.success }} - steps: - - id: setoutput - run: |- - echo "::set-output name=success::true" - testSuccess: runs-on: ubuntu-latest - needs: [testMatrix, afterTestMatrix] + needs: testMatrix if: always() steps: - - run: |- - if [[ "${NEEDS_AFTERTESTMATRIX_OUTPUTS_SUCCESS}" == "true" ]]; then - exit 0 - else - exit 1 - fi - env: - NEEDS_AFTERTESTMATRIX_OUTPUTS_SUCCESS: ${{ needs.afterTestMatrix.outputs.success}} + - name: Check test results + run: test "${{ needs.testMatrix.result }}" = "success" diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..e7eacd3 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,30 @@ +name: Audit GitHub Actions security + +on: + pull_request: + branches: + - main + push: + branches: + - main + +defaults: + run: + shell: bash + +permissions: {} + +jobs: + zizmor: + name: Audit GitHub Actions security + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: cerbos/actions/lint-actions@bb5570805858670fd33787e9ded60b8c1140b2a1 # main