programs/.github/workflows/security.yml at main · resq-software/programs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
# Copyright 2026 ResQ Software
# SPDX-License-Identifier: Apache-2.0
#
# Thin caller for the org-wide reusable security-scan workflow in
# resq-software/.github.

name: security

on:
  push:
    branches: [main, master]
  pull_request:
  schedule:
    - cron: '17 6 * * 1'
  workflow_dispatch:

# No workflow-level permissions: the only job is a reusable-workflow call,
# and reusable callers must declare the forwarded scopes on the job itself.
permissions: {}

jobs:
  scan:
    # Scopes are set here (not workflow-level) so they apply only to the
    # reusable call — avoids zizmor `excessive-permissions`.
    permissions:
      contents: read            # checkout in the reusable's jobs
      security-events: write    # reusable uploads CodeQL/zizmor SARIF
      pull-requests: read       # reusable dependency-review reads PR diff
      actions: read             # reusable CodeQL + zizmor jobs request it;
                                # a reusable cannot exceed the caller's grant,
                                # so omitting this fails the run at startup

    # SHA-pinned per org policy (mutable @main is rejected by zizmor
    # unpinned-uses). Trailing comment keeps Dependabot updates working;
    # matches the convention in ci.yml.
    uses: resq-software/.github/.github/workflows/security-scan.yml@b48036af2c8f012f547979c29c819e1a19caf406 # main (2026-06-01, #21)
    with:
      languages: '["actions"]'
      enable-semgrep: true
    # Forward only the secret this caller needs by name (semgrep is the only
    # enabled token-consuming scanner) instead of `secrets: inherit`, which
    # hands the reusable ALL of this repo's secrets — zizmor secrets-inherit.
    secrets:
      SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}