Add zizmor CI workflow for GitHub Actions security scanning

Add automated zizmor scanning on .github/** changes to detect
workflow vulnerabilities. Config ignores the two manually-reviewed
pull_request_target workflows (merged.yaml, review_requested.yaml)
per discussion in PR #10490, and uses 'any' policy for unpinned-uses.

Fixes #10635
This commit is contained in:
John Muirhead-Gould 2026-06-27 01:12:14 -04:00
parent f769e35e77
commit 2ebbbc847d
2 changed files with 36 additions and 0 deletions

25
.github/workflows/zizmor.yml vendored Normal file
View file

@ -0,0 +1,25 @@
name: Workflow security (zizmor)
on:
push:
branches:
- main
paths:
- '.github/**'
pull_request:
branches:
- main
- "*.x"
paths:
- '.github/**'
workflow_dispatch:
permissions:
contents: read
jobs:
zizmor:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- run: pipx install zizmor
- run: zizmor .

11
.github/zizmor.yml vendored Normal file
View file

@ -0,0 +1,11 @@
rules:
unpinned-uses:
config:
policies:
"*": any
dangerous-triggers:
ignore:
# These workflows have been manually reviewed for safety.
# See https://github.com/certbot/certbot/pull/10490
- merged.yaml
- review_requested.yaml