Skip to content

Commit bb64ce9

Browse files
kzantowkzantow
authored
chore: add zizmor (#10)
Signed-off-by: Keith Zantow <kzantow@gmail.com>
1 parent 36740c2 commit bb64ce9

File tree

6 files changed

+54
-0
lines changed

6 files changed

+54
-0
lines changed

.github/dependabot.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ updates:
88
- "/.make"
99
schedule:
1010
interval: "daily"
11+
cooldown:
12+
default-days: 7
1113
open-pull-requests-limit: 10
1214
labels:
1315
- "dependencies"
@@ -16,6 +18,8 @@ updates:
1618
directory: "/"
1719
schedule:
1820
interval: "daily"
21+
cooldown:
22+
default-days: 7
1923
open-pull-requests-limit: 10
2024
labels:
2125
- "dependencies"

.github/workflows/oss-project-board-add.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,9 @@ on:
88
- transferred
99
- labeled
1010

11+
permissions:
12+
contents: read
13+
1114
jobs:
1215

1316
run:

.github/workflows/remove-awaiting-response-label.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@ on:
44
issue_comment:
55
types: [created]
66

7+
permissions:
8+
contents: read
9+
710
jobs:
811
run:
912
uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main"

.github/workflows/validate-github-actions.yaml

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,35 @@
1+
name: "Validate GitHub Actions"
2+
3+
on:
4+
pull_request:
5+
paths:
6+
- '.github/workflows/**'
7+
- '.github/actions/**'
8+
push:
9+
branches:
10+
- main
11+
paths:
12+
- '.github/workflows/**'
13+
- '.github/actions/**'
14+
15+
permissions:
16+
contents: read
17+
18+
jobs:
19+
zizmor:
20+
name: "Lint"
21+
runs-on: ubuntu-latest
22+
permissions:
23+
contents: read
24+
steps:
25+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26+
with:
27+
persist-credentials: false
28+
29+
- name: "Run zizmor"
30+
uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
31+
with:
32+
config: .github/zizmor.yml
33+
# Disable SARIF upload so the step is a simple pass/fail gate
34+
advanced-security: false
35+
inputs: .github

.github/workflows/validations.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,9 @@ on:
1515
schedule:
1616
- cron: '0 2 15 * *' # monthly at 2 am on the 15th
1717

18+
permissions:
19+
contents: read
20+
1821
jobs:
1922
test:
2023
strategy:

.github/zizmor.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
rules:
2+
unpinned-uses:
3+
config:
4+
policies:
5+
# anchore actions are internal; using @main is acceptable
6+
anchore/*: any

0 commit comments

Comments
 (0)