ci: zizmor

westonsteimel · westonsteimel · commit 233cdf257c19 · 2026-02-18T12:44:54.000Z
Signed-off-by: Weston Steimel &lt;author@code.w.steimel.me.uk&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,22 +1,18 @@
 version: 2
-
 updates:
+
   - package-ecosystem: "github-actions"
-    directories:
-      - "/"
+    open-pull-requests-limit: 10
+    directory: "/.github/actions/bootstrap"
+    schedule:
+      interval: "daily"
     cooldown:
       default-days: 7
-    schedule:
-      interval: "weekly"
-      day: "friday"
+
+  - package-ecosystem: "github-actions"
     open-pull-requests-limit: 10
-    labels:
-      - "dependencies"
-    groups:
-      actions-minor-patch:
-        applies-to: version-updates  # security updates get individual PRs
-        patterns:
-          - "*"
-        update-types:  # major omitted, gets individual PRs
-          - "minor"
-          - "patch"
+    directory: "/.github/workflows"
+    schedule:
+      interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -34,6 +34,6 @@ jobs:
       - name: Render the vulnerability index specs sqlite
         run: anchore-security-cli -v vuln-index spec render --data-path data -o ${{ runner.temp }}/vuln-index-specs
       - name: Login to GHCR via oras
-        run: echo ${{ secrets.GITHUB_TOKEN }} | oras login ghcr.io --username ${{ github.actor }} --password-stdin
+        run: echo ${{ secrets.GITHUB_TOKEN }} | oras login ghcr.io --username "${GITHUB_ACTOR}" --password-stdin
       - name: Publish the vulnerability index specs sqlite
         run: anchore-security-cli -vvv vuln-index spec publish --index-dir ${{ runner.temp }}/vuln-index-specs --deploy-to=development
diff --git a/.github/workflows/validate-github-actions.yaml b/.github/workflows/validate-github-actions.yaml
@@ -0,0 +1,36 @@
+name: "Validate GitHub Actions"
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: "Lint"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write  # for uploading SARIF results
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: "Run zizmor"
+        uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+        with:
+          config: .github/zizmor.yml
+          # Disable SARIF upload so the step is a simple pass/fail gate
+          advanced-security: false
+          inputs: .github
diff --git a/.github/workflows/validations.yaml b/.github/workflows/validations.yaml
@@ -23,7 +23,9 @@ jobs:
       - name: Install OS dependencies
         run: apk add --no-cache taplo
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
+        with:
+          persist-credentials: false
       - name: Run schema validation
         run: taplo validate --schema file:${PWD}/schema/toml/0.1.0.schema.json
       - name: Run format validation
-        run: taplo format --check
+        run: taplo format --check
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # anchore/workflows is an internal repository; using @main is acceptable
+        anchore/*: any
