fail zizmor job on findings (#119)

* fail zizmor job on findings

* only fail zizmor on warnings or above

Author: bckohan

.github/workflows/zizmor.yml

@@ -28,7 +28,10 @@ jobs:
 
       - name: Set up Rust
         uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c
-
+      - name: Install jq
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y jq
       - name: Install Zizmor
         run: |
           cargo install --locked zizmor
@@ -48,3 +51,12 @@ jobs:
         uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89
         with:
           sarif_file: results.sarif
+
+      - name: Fail on Findings
+        run: |
+          count="$(
+            jq '([.runs[]? | (.results // [])[] | select(.level != "note")] | length) // 0' \
+              results.sarif
+          )"
+          echo "Zizmor findings: $count"
+          test "$count" -eq 0

SECURITY.md

@@ -3,6 +3,7 @@
 [![CodeQL](https://github.com/bckohan/enum-properties/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/bckohan/enum-properties/actions/workflows/github-code-scanning/codeql?query=branch:main)
 [![Zizmor](https://github.com/bckohan/enum-properties/actions/workflows/zizmor.yml/badge.svg?branch=main)](https://docs.zizmor.sh/)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/bckohan/enum-properties/badge)](https://securityscorecards.dev/viewer/?uri=github.com/bckohan/enum-properties)
+
 ## Supported Versions
 
 Only the latest version [![PyPI version](https://badge.fury.io/py/enum-properties.svg)](https://pypi.python.org/pypi/enum-properties) is supported.