Skip to content

Disable the build on an event dispatch, for now #7

Disable the build on an event dispatch, for now

Disable the build on an event dispatch, for now #7

name: octoguard
on:
workflow_call:
workflow_dispatch:
pull_request:
push:
branches:
- main
permissions:
contents: read
actions: read
env:
ZIZMOR_VERSION: 1.5.2
jobs:
zizmor:
runs-on: ubuntu-24.04
permissions:
contents: read
actions: read
security-events: write
env:
TMPDIR: /tmp/zizmor
steps:
-
name: Checkout
uses: actions/checkout@v4 # zizmor: ignore[artipacked] fine to ignore official actions
with:
persist-credentials: false
-
name: Checks
uses: actions/github-script@v7 # zizmor: ignore[artipacked] fine to ignore official actions
with:
script: |
const fs = require('fs');
fs.mkdirSync(process.env.TMPDIR, { recursive: true });
const workflowsPath = '.github/workflows';
if (!fs.existsSync(workflowsPath)){
core.warning("No workflow directory found, skipping zizmor scan.");
return;
}
const workflows = fs.readdirSync(workflowsPath).filter(file => file.endsWith('.yml') || file.endsWith('.yaml'));
if (workflows.length > 0) {
core.info(`${workflows.length} workflows found in this repository.`);
core.exportVariable('HAS_WORKFLOWS', 'true');
} else {
core.warning("No workflows found, skipping zizmor scan.");
return;
}
try {
await github.request('GET /repos/{owner}/{repo}/code-scanning/alerts', {
...context.repo,
}).catch(err => {
if (err.status === 403) {
throw new Error('Advanced Security needs to be enabled on this repository.');
}
});
core.info('Advanced Security is enabled on this repository.');
} catch (err) {
core.setFailed(err.message);
}
-
name: Setup uv
if: ${{ env.HAS_WORKFLOWS }}
uses: astral-sh/setup-uv@0c5e2b8115b80b4c7c5ddf6ffdd634974642d182 # v5.4.1
with:
enable-cache: false
-
name: Install zizmor
if: ${{ env.HAS_WORKFLOWS }}
run: |
set -ex
uv tool install zizmor@${ZIZMOR_VERSION}
-
name: Run zizmor
if: ${{ env.HAS_WORKFLOWS }}
id: zizmor
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
set -ex
zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > ${TMPDIR}/zizmor.sarif
-
name: Zizmor crash report
if: ${{ env.HAS_WORKFLOWS && failure() && steps.zizmor.conclusion == 'failure' }}
run: |
cat ${TMPDIR}/report-*.toml
-
name: Upload SARIF report
if: ${{ env.HAS_WORKFLOWS }}
uses: github/codeql-action/upload-sarif@v3 # zizmor: ignore[artipacked] fine to ignore official actions
with:
sarif_file: ${{ env.TMPDIR }}/zizmor.sarif
category: zizmor