feat(zizmor): enable running offline only (#956)

jamesc-grafana · web-flow · commit 8ce69f831624 · 2025-05-07T15:05:22.000Z
* chore(zizmor): enable running offline only

* quote the value

* move offline flag to first

* add extra args to zizmor

* add quotes to params

* optional extra args

* explicitly set the version

* remove the github token arg, pass in through extra-args now

* quote version

* update docs

* address comments

* unquote extra-args

* self test offline mode

* rebase conflicts

* update self test to include permissions

* remove uv install and instead rely on uvx
diff --git a/.github/workflows/reusable-zizmor.md b/.github/workflows/reusable-zizmor.md
@@ -15,6 +15,10 @@ show the current results.
 [zizmor]: https://woodruffw.github.io/zizmor/
 [zizmor-checks]: https://woodruffw.github.io/zizmor/audits/
 
+## Examples
+
+**Online Checks**
+
 ```yaml
 name: Zizmor GitHub Actions static analysis
 on:
@@ -50,6 +54,40 @@ jobs:
       fail-severity: any
 ```
 
+**Faster Offline Checks**
+
+```yaml
+name: Zizmor GitHub Actions static analysis (online checks)
+on:
+  pull_request:
+    paths:
+      - ".github/**"
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/**"
+
+jobs:
+  scorecard:
+    name: Analyse
+
+    permissions:
+      actions: read
+      contents: read
+
+      # required to comment on pull requests with the results of the check
+      pull-requests: write
+      # required to upload the results to GitHub's code scanning service
+      security-events: write
+
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@<some sha>
+    with:
+      # example: fail if there are any findings
+      fail-severity: any
+      extra-args: "--offline"
+```
+
 ## Inputs
 
 | Name                      | Type    | Description                                                                                                                                                                                                                        | Default Value   | Required |
@@ -60,7 +98,8 @@ jobs:
 | runs-on                   | string  | The runner to use for jobs. Configure this to use self-hosted runners.                                                                                                                                                             | ubuntu-latest   | false    |
 | default-config            | boolean | The default Zizmor configuration to use. If `always-use-default-config` is `true`, this configuration will always be used. Otherwise, it will be used if the repository does not have a `.github/zizmor.yml` or `zizmor.yml` file. | true            | false    |
 | always-use-default-config | boolean | Whether to always use `default-config`.                                                                                                                                                                                            | false           | false    |
-| github-token              | string  | The GitHub token to use when authenticating with the GitHub API                                                                                                                                                                    | ${github.token} | false    |
+| github-token              | string  | Use a different token to the default                                                                                                                                                                                               | ${github.token} | false    |
+| extra-args                | string  | Extra arguments to pass into zizmor                                                                                                                                                                                                | ""              | false    |
 
 ## Getting started
 
diff --git a/.github/workflows/reusable-zizmor.yml b/.github/workflows/reusable-zizmor.yml
@@ -27,16 +27,23 @@ on:
         type: string
         default: "ubuntu-latest"
 
+      github-token:
+        description: Use a different token to the default
+        required: false
+        type: string
+        default: ${{ github.token }}
+
       always-use-default-config:
         description: Whether to always use the default configuration.
         required: false
         type: boolean
         default: false
 
-      github-token:
-        description: "The GitHub token to use for the job"
+      extra-args:
+        description: Extra arguments to pass to Zizmor
         required: false
         type: string
+        default: ""
 
 permissions: {}
 
@@ -216,9 +223,10 @@ jobs:
     env:
       MIN_SEVERITY: ${{ inputs.min-severity }}
       MIN_CONFIDENCE: ${{ inputs.min-confidence }}
-      GH_TOKEN: ${{ inputs.github-token || github.token }}
       # renovate: datasource=pypi depName=zizmor
       ZIZMOR_VERSION: 1.6.0
+      GH_TOKEN: ${{ inputs.github-token || github.token }}
+      ZIZMOR_EXTRA_ARGS: ${{ inputs.extra-args }}
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -338,12 +346,6 @@ jobs:
           cache-suffix: ${{ env.ZIZMOR_VERSION }}
           cache-dependency-glob: ""
 
-      - name: Install Zizmor
-        shell: bash
-        run: |
-          echo "Installing Zizmor ${ZIZMOR_VERSION}"
-          uv pip install --no-cache-dir "zizmor==${ZIZMOR_VERSION}"
-
       - name: Zizmor cache
         uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
         with:
@@ -356,13 +358,14 @@ jobs:
           ZIZMOR_CACHE_DIR: ${{ runner.temp }}/.cache/zizmor
         shell: sh
         run: >-
-          uvx zizmor
+          uvx zizmor@"${ZIZMOR_VERSION}"
           --format sarif
           --min-severity "${MIN_SEVERITY}"
           --min-confidence "${MIN_CONFIDENCE}"
           --cache-dir "${ZIZMOR_CACHE_DIR}"
           ${ZIZMOR_CONFIG:+--config "${ZIZMOR_CONFIG}"}
           ${RUNNER_DEBUG:+"--verbose"}
+          ${ZIZMOR_EXTRA_ARGS:+${ZIZMOR_EXTRA_ARGS}}
           .
           > results.sarif
 
@@ -394,13 +397,14 @@ jobs:
           # don't fail the build if zizmor fails - we want to capture the output
           # and the exit code
           set +e
-          uvx zizmor \
+          uvx zizmor@"${ZIZMOR_VERSION}" \
             --format plain \
             --min-severity "${MIN_SEVERITY}" \
             --min-confidence "${MIN_CONFIDENCE}" \
             --cache-dir "${ZIZMOR_CACHE_DIR}" \
             ${RUNNER_DEBUG:+"--verbose"} \
             ${ZIZMOR_CONFIG:+--config "${ZIZMOR_CONFIG}"} \
+            ${ZIZMOR_EXTRA_ARGS:+${ZIZMOR_EXTRA_ARGS}} \
             . \
             | tee -a "${GITHUB_OUTPUT}"
           zizmor_exit_code=$?
diff --git a/.github/workflows/test-zizmor-offline.yml b/.github/workflows/test-zizmor-offline.yml
@@ -0,0 +1,22 @@
+name: Test reusable Zizmor in offline mode
+on:
+  push:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor-offline:
+    name: Run zizmor offline for current branch (self test)
+
+    permissions:
+      actions: read
+      contents: read
+      id-token: write
+      pull-requests: write
+      security-events: write
+
+    uses: ./.github/workflows/reusable-zizmor.yml
+    with:
+      extra-args: --offline --collect=all
