File tree 2 files changed +44
-0
lines changed 2 files changed +44
-0
lines changed Original file line number Diff line number Diff line change @@ -114,11 +114,17 @@ jobs:
114114 fail_ci_if_error : true # optional (default = false)
115115 verbose : true # optional (default = false)
116116
117+ zizmor :
118+ uses : ./.github/workflows/reusable-zizmor.yml
119+ permissions :
120+ security-events : write
121+
117122 check : # This job does nothing and is only used for the branch protection
118123 if : always()
119124 needs :
120125 - build
121126 - test
127+ - zizmor
122128 runs-on : ubuntu-24.04
123129 timeout-minutes : 5
124130
Original file line number Diff line number Diff line change 1+ ---
2+ name : Reusable zizmor
3+
4+ permissions : {}
5+
6+ on :
7+ workflow_call :
8+
9+ env :
10+ FORCE_COLOR : 1
11+
12+ jobs :
13+ zizmor :
14+ runs-on : ubuntu-24.04
15+ permissions :
16+ security-events : write
17+ timeout-minutes : 5
18+
19+ steps :
20+ - uses : actions/checkout@v4
21+ with :
22+ persist-credentials : false
23+ - name : Install uv
24+ # yamllint disable-line rule:line-length
25+ uses : astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0
26+ with :
27+ # yamllint disable-line rule:line-length
28+ enable-cache : | # zizmor: ignore[cache-poisoning] cache is disabled when publishing to prevent poisoning
29+ ${{ github.ref_type == 'tag' && 'false' || 'auto' }}
30+ name : Run zizmor 🌈
31+ run : uvx zizmor --format=sarif . > results.sarif
32+ env :
33+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
34+ - name : Upload SARIF file
35+ uses : github/codeql-action/upload-sarif@v3
36+ with :
37+ sarif_file : results.sarif
38+ category : zizmor
You can’t perform that action at this time.
0 commit comments