Skip to content
security

Harden GHA #3

Sign in to view logs

Harden GHA

Harden GHA #3

Workflow file for this run

.github/workflows/security.yml at 03ad2f8
name: security
on:
pull_request:
merge_group:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions:
contents: read
jobs:
pinact:
name: pinact
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
with:
skip_push: "true" # validate only; fail CI on unpinned actions
zizmor:
name: zizmor
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write # upload SARIF findings to Code Scanning
actions: read # required by zizmor-action for private/internal repos
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
with:
persona: pedantic
security:
name: security
permissions: {}
if: always()
needs:
- pinact
- zizmor
runs-on: ubuntu-latest
steps:
- name: Print all job results
env:
NEEDS_JSON: ${{ toJson(needs) }}
GITHUB_EVENT_NAME: ${{ github.event_name }}
run: |
echo "'needs': ${NEEDS_JSON}"
echo "github.event_name: ${GITHUB_EVENT_NAME}"
# In the merge queue, any skipped job is a failure (everything must run).
# In PR CI, skips are allowed (e.g. fork PRs without OIDC).
- if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') || (github.event_name == 'merge_group' && contains(needs.*.result, 'skipped')) }}
run: exit 1