Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lint our GitHub Actions workflows with zizmor #7401

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Lint our GitHub Actions workflows with zizmor #7401

wants to merge 1 commit into from

Conversation

legoktm
Copy link
Member

@legoktm legoktm commented Dec 20, 2024

Status

Ready for review

Description of Changes

zizmor is a new tool to lint GitHub Actions workflows. For the most part our workflows are pretty low risk since we don't give it a bunch of credentials, but we can avoid issues in the future by locking them down now.

Two overall issues needed to be fixed:

  • setting persist-credentials: false for actions/checkout, which we do everywhere except in the workflows that need to push.
  • Don't use template expansion when we can use a normal bash variable.

While zizmor is written in Rust, it is also shipped as a prebuilt binary via PyPI, so we can set it as a pip dependency and run it as part of our normal lint CI.

Refs freedomofpress/securedrop-tooling#18.

Testing

How should the reviewer test this PR?

  • visual review
  • CI passes

Deployment

Any special considerations for deployment? n/a

@legoktm
Lint our GitHub Actions workflows with zizmor
0d50bf2 
zizmor is a new tool to lint GitHub Actions workflows. For the most part
our workflows are pretty low risk since we don't give it a bunch of
credentials, but we can avoid issues in the future by locking them down
now.

Two overall issues needed to be fixed:
* setting persist-credentials: false for actions/checkout, which we do
everywhere except in the workflows that need to push.
* Don't use template expansion when we can use a normal bash variable.

While zizmor is written in Rust, it is also shipped as a prebuilt binary
via PyPI, so we can set it as a pip dependency and run it as part of
our normal lint CI.

Refs <freedomofpress/securedrop-tooling#18>.
@legoktm legoktm requested a review from a team as a code owner December 20, 2024 23:53
This was referenced Dec 20, 2024
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
SecureDrop dev cycle
Status: Ready For Review
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@legoktm