Perform zizmor analysis in GitHub Actions workflow (#4840)

juliette-derancourt · web-flow · commit 0ad78ff6a05b · 2025-08-18T19:07:26.000Z
diff --git a/.github/actions/maven-central-user-token/action.yml b/.github/actions/maven-central-user-token/action.yml
@@ -11,7 +11,7 @@ runs:
   using: "composite"
   steps:
     - shell: bash
-      run: |
+      run: | # zizmor: ignore[github-env]
         USER_TOKEN=$(printf "${USERNAME}:${PASSWORD}" | base64)
         echo "::add-mask::$USER_TOKEN"
         echo "MAVEN_CENTRAL_USER_TOKEN=$USER_TOKEN" >> $GITHUB_ENV
diff --git a/.github/actions/run-gradle/action.yml b/.github/actions/run-gradle/action.yml
@@ -23,7 +23,7 @@ runs:
     - shell: bash
       env:
         JAVA_HOME: ${{ steps.setup-gradle-jdk.outputs.path }}
-      run: |
+      run: | # zizmor: ignore[template-injection]
         ./gradlew \
         -Porg.gradle.java.installations.auto-download=false \
         -Pjunit.develocity.predictiveTestSelection.enabled=true \
diff --git a/.github/actions/setup-test-jdk/action.yml b/.github/actions/setup-test-jdk/action.yml
@@ -14,11 +14,11 @@ runs:
         java-version: 8
         check-latest: true
     - shell: bash
-      run: echo "JDK8=$JAVA_HOME" >> $GITHUB_ENV
+      run: echo "JDK8=$JAVA_HOME" >> $GITHUB_ENV # zizmor: ignore[github-env]
     - uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4
       with:
         distribution: ${{ inputs.distribution }}
         java-version: 17
         check-latest: true
     - shell: bash
-      run: echo "JDK17=$JAVA_HOME" >> $GITHUB_ENV
+      run: echo "JDK17=$JAVA_HOME" >> $GITHUB_ENV # zizmor: ignore[github-env]
diff --git a/.github/workflows/label-pull-request.yml b/.github/workflows/label-pull-request.yml
@@ -1,8 +1,11 @@
 name: Copy labels from linked issues to PR
+
 on:
   pull_request_target:
-    types: [opened, reopened, edited, synchronize]
+    types: [opened, reopened, edited, synchronize] # zizmor: ignore[dangerous-triggers]
+
 permissions: {}
+
 jobs:
   copy_labels:
     name: Copy labels
diff --git a/.github/workflows/zizmor-analysis.yml b/.github/workflows/zizmor-analysis.yml
@@ -0,0 +1,29 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches:
+      - main
+      - 'releases/**'
+    paths:
+      - '.github/**'
+  pull_request:
+    paths:
+      - '.github/**'
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
