diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7fe68e7..07ecb13 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,6 +11,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 with: python-version: "3.x" diff --git a/.github/workflows/selftest.yml b/.github/workflows/selftest.yml index 3770491..6f5f509 100644 --- a/.github/workflows/selftest.yml +++ b/.github/workflows/selftest.yml @@ -19,6 +19,8 @@ jobs: runs-on: ${{ matrix.os }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./ id: pip-audit with: @@ -38,6 +40,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: make the environment vulnerable run: | python -m pip install --no-deps --requirement ./test/vulnerable.txt @@ -60,6 +64,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: make a virtual environment vulnerable run: | python -m venv env @@ -83,6 +89,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./ id: pip-audit with: @@ -101,6 +109,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: ./ id: pip-audit with: diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index 1df680c..a037476 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -12,11 +12,13 @@ name: Semgrep jobs: semgrep: name: Scan - runs-on: ubuntu-20.04 + runs-on: ubuntu-latest env: SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} container: - image: returntocorp/semgrep + image: semgrep/semgrep steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - run: semgrep ci diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..6830f8b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor latest via PyPI + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/action.yml b/action.yml index 0dcf5ee..73cf61c 100644 --- a/action.yml +++ b/action.yml @@ -75,8 +75,9 @@ runs: # NOTE: Sourced, not executed as a script. source "${{ github.action_path }}/setup/venv.bash" - python "${{ github.action_path }}/action.py" "${{ inputs.inputs }}" + python "${{ github.action_path }}/action.py" "$GHA_PIP_AUDIT_INPUTS" env: + GHA_PIP_AUDIT_INPUTS: "${{ inputs.inputs }}" GHA_PIP_AUDIT_SUMMARY: "${{ inputs.summary }}" GHA_PIP_AUDIT_NO_DEPS: "${{ inputs.no-deps }}" GHA_PIP_AUDIT_REQUIRE_HASHES: "${{ inputs.require-hashes }}"