mirror of
https://github.com/certbot/certbot.git
synced 2026-07-16 05:03:08 -04:00
Add zizmor CI workflow for GitHub Actions security scanning
Add automated zizmor scanning on .github/** changes to detect workflow vulnerabilities. Config ignores the two manually-reviewed pull_request_target workflows (merged.yaml, review_requested.yaml) per discussion in PR #10490, and uses 'any' policy for unpinned-uses. Fixes #10635
This commit is contained in:
parent
f769e35e77
commit
2ebbbc847d
2 changed files with 36 additions and 0 deletions
25
.github/workflows/zizmor.yml
vendored
Normal file
25
.github/workflows/zizmor.yml
vendored
Normal file
|
|
@ -0,0 +1,25 @@
|
|||
name: Workflow security (zizmor)
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths:
|
||||
- '.github/**'
|
||||
pull_request:
|
||||
branches:
|
||||
- main
|
||||
- "*.x"
|
||||
paths:
|
||||
- '.github/**'
|
||||
workflow_dispatch:
|
||||
permissions:
|
||||
contents: read
|
||||
jobs:
|
||||
zizmor:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
with:
|
||||
persist-credentials: false
|
||||
- run: pipx install zizmor
|
||||
- run: zizmor .
|
||||
11
.github/zizmor.yml
vendored
Normal file
11
.github/zizmor.yml
vendored
Normal file
|
|
@ -0,0 +1,11 @@
|
|||
rules:
|
||||
unpinned-uses:
|
||||
config:
|
||||
policies:
|
||||
"*": any
|
||||
dangerous-triggers:
|
||||
ignore:
|
||||
# These workflows have been manually reviewed for safety.
|
||||
# See https://github.com/certbot/certbot/pull/10490
|
||||
- merged.yaml
|
||||
- review_requested.yaml
|
||||
Loading…
Reference in a new issue