Skip to content

ci: add zizmor workflow #1813

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
anujm1 wants to merge 2 commits into from
Closed

ci: add zizmor workflow #1813

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f5777ea
ci: add zizmor workflow
anujm1 Mar 25, 2026
4b6fbe8
ci: ignore zizmor warnings relating to use of GITHUB_ENV
anujm1 Mar 26, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/actions/compile/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,14 +36,14 @@

- name: Setting up kas-container
shell: bash
run: |
run: | # zizmor: ignore[github-env]
KAS_CONTAINER=$RUNNER_TEMP/kas-container
echo "KAS_CONTAINER=$KAS_CONTAINER" >> $GITHUB_ENV
chmod +x $KAS_CONTAINER

- name: Setup build variables and sstate-cache
shell: bash
run: |
run: | # zizmor: ignore[github-env]
# use a monthly sstate cache folder
echo "DL_DIR=${INPUTS_CACHE_DIR}/downloads" >> $GITHUB_ENV
echo "SSTATE_DIR=${INPUTS_CACHE_DIR}/sstate-cache-$(date '+%Y-%m')" >> $GITHUB_ENV
Expand Down Expand Up @@ -144,7 +144,7 @@
KERNEL_DIRNAME="${INPUTS_KERNEL_DIRNAME}"
BUILDNAME="${INPUTS_MACHINE}_${INPUTS_DISTRO_NAME}${KERNEL_DIRNAME}"
FILENAME="build-url_${BUILDNAME}"
echo "${{ steps.upload_s3_artifacts.outputs.url }}" > "${FILENAME}"

Check notice on line 147 in .github/actions/compile/action.yml

View workflow job for this annotation

GitHub Actions / Run zizmor

template-injection 

action.yml:147: code injection via template expansion: may expand into attacker-controllable code
echo "filename=${FILENAME}" >> $GITHUB_OUTPUT
env:
INPUTS_KERNEL_DIRNAME: ${{ inputs.kernel_dirname }}
Expand Down
2 changes: 1 addition & 1 deletion .github/actions/lava-test-plans/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ runs:

- name: Run lava-test-plans
shell: bash
run: |
run: | # zizmor: ignore[github-env]
set -euo pipefail
cd lava-test-plans && pip install .
lava-test-plans --version
Expand Down
25 changes: 25 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: GitHub Actions Security Analysis with zizmor

on:
pull_request:
Comment thread
anujm1 marked this conversation as resolved.
branches: ["**"]
push:
branches: [ master ]

permissions: {}

jobs:
zizmor:
name: Run zizmor
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v6 # v6.0.2
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
with:
advanced-security: false
annotations: true
7 changes: 7 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
rules:
unpinned-uses:
config:
policies:
actions/*: ref-pin
foundriesio/*: ref-pin
qualcomm-linux/*: ref-pin
Loading