From f5777ead81ddf65b8727b8afddd5cd7467754f14 Mon Sep 17 00:00:00 2001 From: Anuj Mittal Date: Wed, 25 Mar 2026 21:18:08 +0800 Subject: [PATCH 1/2] ci: add zizmor workflow Scan all GitHub workflows in the repository using zizmor action [1]. Set advanced-security to false to use annotations instead of letting zizmor write security events. And, ignore all unpinned-uses warnings for actions hosted under trusted orgs. [1] https://github.com/zizmorcore/zizmor-action Signed-off-by: Anuj Mittal --- .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++ .github/zizmor.yml | 7 +++++++ 2 files changed, 32 insertions(+) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..e1879153e --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +name: GitHub Actions Security Analysis with zizmor + +on: + pull_request: + branches: ["**"] + push: + branches: [ master ] + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 + with: + advanced-security: false + annotations: true diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..2206ae7ee --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,7 @@ +rules: + unpinned-uses: + config: + policies: + actions/*: ref-pin + foundriesio/*: ref-pin + qualcomm-linux/*: ref-pin From 4b6fbe88916e4966c7661103844691bcdfbff234 Mon Sep 17 00:00:00 2001 From: Anuj Mittal Date: Thu, 26 Mar 2026 09:10:56 +0530 Subject: [PATCH 2/2] ci: ignore zizmor warnings relating to use of GITHUB_ENV GITHUB_ENV can potentially allow an attacker to inject code [1] if they could control the values being assigned to it. In this case, the values assigned to GITHUB_ENV are static and not controllable so ignore the specific instances. [1] https://securitylab.github.com/advisories/GHSL-2024-177_Litestar/ Signed-off-by: Anuj Mittal --- .github/actions/compile/action.yml | 4 ++-- .github/actions/lava-test-plans/action.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/actions/compile/action.yml b/.github/actions/compile/action.yml index e1a9861d6..1465f1619 100644 --- a/.github/actions/compile/action.yml +++ b/.github/actions/compile/action.yml @@ -36,14 +36,14 @@ runs: - name: Setting up kas-container shell: bash - run: | + run: | # zizmor: ignore[github-env] KAS_CONTAINER=$RUNNER_TEMP/kas-container echo "KAS_CONTAINER=$KAS_CONTAINER" >> $GITHUB_ENV chmod +x $KAS_CONTAINER - name: Setup build variables and sstate-cache shell: bash - run: | + run: | # zizmor: ignore[github-env] # use a monthly sstate cache folder echo "DL_DIR=${INPUTS_CACHE_DIR}/downloads" >> $GITHUB_ENV echo "SSTATE_DIR=${INPUTS_CACHE_DIR}/sstate-cache-$(date '+%Y-%m')" >> $GITHUB_ENV diff --git a/.github/actions/lava-test-plans/action.yml b/.github/actions/lava-test-plans/action.yml index 8ae84c0fd..55bcc5a42 100644 --- a/.github/actions/lava-test-plans/action.yml +++ b/.github/actions/lava-test-plans/action.yml @@ -45,7 +45,7 @@ runs: - name: Run lava-test-plans shell: bash - run: | + run: | # zizmor: ignore[github-env] set -euo pipefail cd lava-test-plans && pip install . lava-test-plans --version