Commit Graph

10 Commits

Author SHA1 Message Date
stevenhorsman
063a13ccd0 workflows: Bump zizmor to 1.22
Bump zizmor to the 1.22 version to pick up new rule updates.
Later bumps to follow once this has proven stable

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-04-28 13:10:36 +01:00
stevenhorsman
b3179bdd8e workflows: Update actions/checkout version
Update the action to resolve the following warning in GHA:
> Node.js 20 actions are deprecated. The following actions are running
> on Node.js 20 and may not work as expected:
> actions/checkout@11bd71901b.
> Actions will be forced to run with Node.js 24 by default starting June 2nd, 2026.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2026-03-30 10:45:28 +01:00
dependabot[bot]
dc8d9e056d build(deps): bump zizmorcore/zizmor-action from 0.2.0 to 0.4.1
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.2.0 to 0.4.1.
- [Release notes](https://github.com/zizmorcore/zizmor-action/releases)
- [Commits](e673c3917a...135698455d)

---
updated-dependencies:
- dependency-name: zizmorcore/zizmor-action
  dependency-version: 0.4.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-02-01 15:08:10 +00:00
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
Aurélien Bombo
2e033d0079 gha: Run Zizmor without Advanced Security
This does not change the security of the analysis, this is just to work
around zizmorcore/zizmor-action#43.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 10:50:41 -05:00
Aurélien Bombo
11655ef029 ci: Run Zizmor on pushes to any branch
This runs Zizmor on pushes to any branch, not just main.

This is useful for:

 1. Testing changes in feature branches with the manually-triggered CI.
 2. Forked repos that may use a different name than "main" for their
    default branch.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-11 09:33:25 -05:00
Aurélien Bombo
1dcc67c241 security: gha: Use Zizomor's auditor mode
This is the strictest possible setting for Zizmor.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-03 12:30:09 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Aurélien Bombo
8723eedad2 gha: Remove path restriction for Zizmor workflow
The way GH works, we can only require Zizmor results on ALL PR runs, or
none, so remove the path filter.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-07-03 08:18:34 -05:00
Aurélien Bombo
34c8cd810d ci: Run zizmor for GHA security analysis
This runs the zizmor security lint [1] on our GH Actions.
The initial workflow uses [2] as a base.

[1] https://docs.zizmor.sh/
[2] https://docs.zizmor.sh/usage/#use-in-github-actions

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-26 10:52:28 +01:00