ci: add zizmor check and configuration
`zizmor` is a tool that uses static analysis to find potential security issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub made a CI system so complicated that tools like this were created, but I digress.) Given our increase in GHA usage recently, I think this is a good step towards keeping our security posture in tip-top shape. (It also keeps with the theme of automating as many things as possible!) The rule related to the usages of dangerous-triggers have been disabled to avoid false-positives. Explanations about the usage of `pull_request_target` and expectations around its usage can be found in `.github/workflows/README.md`. [0]: https://woodruffw.github.io/zizmor/ Co-authored-by: Thomas Gerbet <thomas@gerbet.me>
This commit is contained in:
Winter
12
.github/zizmor.yml
vendored
Normal file
12
.github/zizmor.yml
vendored
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
# This file defines the ignore rules for zizmor.
|
||||||
|
#
|
||||||
|
# For rules that contain a high number of false positives, prefer listing them here
|
||||||
|
# instead of adding ignore comments. Note that zizmor cannot ignore by line-within-a-string, so
|
||||||
|
# there are some ignore items that encompass multiple problems within one `run` block. An issue
|
||||||
|
# tracking this is at https://github.com/woodruffw/zizmor/issues/648.
|
||||||
|
#
|
||||||
|
# For more info, see the documentation: https://woodruffw.github.io/zizmor/usage/#ignoring-results
|
||||||
|
|
||||||
|
rules:
|
||||||
|
dangerous-triggers:
|
||||||
|
disable: true
|
||||||
@@ -136,6 +136,8 @@ let
|
|||||||
[ "--config=${config}" ];
|
[ "--config=${config}" ];
|
||||||
includes = [ "*.md" ];
|
includes = [ "*.md" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
programs.zizmor.enable = true;
|
||||||
};
|
};
|
||||||
fs = pkgs.lib.fileset;
|
fs = pkgs.lib.fileset;
|
||||||
nixFilesSrc = fs.toSource {
|
nixFilesSrc = fs.toSource {
|
||||||
|
|||||||
Reference in New Issue
Block a user