Add zizmor checks

masklinn · masklinn · commit 67ed3053f502 · 2024-12-22T11:23:36.000+01:00
The actions are nothing complicated so there should be limited to no
risk, but better safe than sorry, and zizmor seems to run really fast
so probably not any sort of bottleneck.
diff --git a/.github/workflows/py-checks.yml b/.github/workflows/py-checks.yml
@@ -13,6 +13,8 @@ jobs:
     steps:
     - name: Checkout working copy
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: ruff check
       uses: chartboost/ruff-action@v1
       with:
diff --git a/.github/workflows/py-tests.yml b/.github/workflows/py-tests.yml
@@ -19,6 +19,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
@@ -79,6 +81,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
diff --git a/.github/workflows/pyo3-wheels.yml b/.github/workflows/pyo3-wheels.yml
@@ -57,6 +57,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
@@ -79,6 +81,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Build sdist
         uses: PyO3/maturin-action@v1
         with:
@@ -140,6 +144,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         with:
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -13,6 +13,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - run: cargo fmt --check
     - if: always()
       run: cargo clippy
@@ -24,6 +26,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         submodules: true
+        persist-credentials: false
     - run: cargo check
     - run: cargo test -r --verbose
 
@@ -35,5 +38,6 @@ jobs:
     - uses: actions/checkout@v4
       with:
         submodules: true
+        persist-credentials: false
     - run: cargo update --verbose
     - run: cargo test -r --verbose
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,29 @@
+name: Zizmor
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v4
+      - name: Run zizmor
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
