Commit Graph

7 Commits

Author SHA1 Message Date
Aurélien Bombo
433e59de1f gha: zizmor: fix "workflow or action definition without a name" error
This fixes that error everywhere by adding a `name:` field to all jobs that
were missing it. We keep the same name as the job ID to ensure no
disturbance to the required job names.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 23:34:40 -05:00
Aurélien Bombo
2e033d0079 gha: Run Zizmor without Advanced Security
This does not change the security of the analysis, this is just to work
around zizmorcore/zizmor-action#43.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-25 10:50:41 -05:00
Aurélien Bombo
11655ef029 ci: Run Zizmor on pushes to any branch
This runs Zizmor on pushes to any branch, not just main.

This is useful for:

 1. Testing changes in feature branches with the manually-triggered CI.
 2. Forked repos that may use a different name than "main" for their
    default branch.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-11 09:33:25 -05:00
Aurélien Bombo
1dcc67c241 security: gha: Use Zizomor's auditor mode
This is the strictest possible setting for Zizmor.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-09-03 12:30:09 -05:00
stevenhorsman
b4545da15d workflows: Set top-level permissions to empty
The default suggestion for top-level permissions was
`contents: read`, but scorecard notes anything other than empty,
so try updating it and see if there are any issues. I think it's
only needed if we run workflows from other repos.

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-08-22 14:13:21 +01:00
Aurélien Bombo
8723eedad2 gha: Remove path restriction for Zizmor workflow
The way GH works, we can only require Zizmor results on ALL PR runs, or
none, so remove the path filter.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-07-03 08:18:34 -05:00
Aurélien Bombo
34c8cd810d ci: Run zizmor for GHA security analysis
This runs the zizmor security lint [1] on our GH Actions.
The initial workflow uses [2] as a base.

[1] https://docs.zizmor.sh/
[2] https://docs.zizmor.sh/usage/#use-in-github-actions

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-06-26 10:52:28 +01:00