ci: add zizmor check and configuration
`zizmor` is a tool that uses static analysis to find potential security issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub made a CI system so complicated that tools like this were created, but I digress.) Given our increase in GHA usage recently, I think this is a good step towards keeping our security posture in tip-top shape. (It also keeps with the theme of automating as many things as possible!) The rule related to the usages of dangerous-triggers have been disabled to avoid false-positives. Explanations about the usage of `pull_request_target` and expectations around its usage can be found in `.github/workflows/README.md`. [0]: https://woodruffw.github.io/zizmor/ Co-authored-by: Thomas Gerbet <thomas@gerbet.me>
This commit is contained in:
Winter
12
.github/zizmor.yml
vendored
Normal file
12
.github/zizmor.yml
vendored
Normal file
@@ -0,0 +1,12 @@
|
||||
# This file defines the ignore rules for zizmor.
|
||||
#
|
||||
# For rules that contain a high number of false positives, prefer listing them here
|
||||
# instead of adding ignore comments. Note that zizmor cannot ignore by line-within-a-string, so
|
||||
# there are some ignore items that encompass multiple problems within one `run` block. An issue
|
||||
# tracking this is at https://github.com/woodruffw/zizmor/issues/648.
|
||||
#
|
||||
# For more info, see the documentation: https://woodruffw.github.io/zizmor/usage/#ignoring-results
|
||||
|
||||
rules:
|
||||
dangerous-triggers:
|
||||
disable: true
|
||||
@@ -136,6 +136,8 @@ let
|
||||
[ "--config=${config}" ];
|
||||
includes = [ "*.md" ];
|
||||
};
|
||||
|
||||
programs.zizmor.enable = true;
|
||||
};
|
||||
fs = pkgs.lib.fileset;
|
||||
nixFilesSrc = fs.toSource {
|
||||
|
||||
Reference in New Issue
Block a user