From 1a9867167dd7c954a01ef78b03cf8ca7a7d0a30d Mon Sep 17 00:00:00 2001 From: Winter Date: Sat, 5 Apr 2025 20:22:25 -0400 Subject: [PATCH] ci: add zizmor check and configuration `zizmor` is a tool that uses static analysis to find potential security issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub made a CI system so complicated that tools like this were created, but I digress.) Given our increase in GHA usage recently, I think this is a good step towards keeping our security posture in tip-top shape. (It also keeps with the theme of automating as many things as possible!) The rule related to the usages of dangerous-triggers have been disabled to avoid false-positives. Explanations about the usage of `pull_request_target` and expectations around its usage can be found in `.github/workflows/README.md`. [0]: https://woodruffw.github.io/zizmor/ Co-authored-by: Thomas Gerbet --- .github/zizmor.yml | 12 ++++++++++++ ci/default.nix | 2 ++ 2 files changed, 14 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000000..f1b71580ebca --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,12 @@ +# This file defines the ignore rules for zizmor. +# +# For rules that contain a high number of false positives, prefer listing them here +# instead of adding ignore comments. Note that zizmor cannot ignore by line-within-a-string, so +# there are some ignore items that encompass multiple problems within one `run` block. An issue +# tracking this is at https://github.com/woodruffw/zizmor/issues/648. +# +# For more info, see the documentation: https://woodruffw.github.io/zizmor/usage/#ignoring-results + +rules: + dangerous-triggers: + disable: true diff --git a/ci/default.nix b/ci/default.nix index 7b7424f4f5be..972c679a1492 100644 --- a/ci/default.nix +++ b/ci/default.nix @@ -136,6 +136,8 @@ let [ "--config=${config}" ]; includes = [ "*.md" ]; }; + + programs.zizmor.enable = true; }; fs = pkgs.lib.fileset; nixFilesSrc = fs.toSource {