Files
emdash-cms--emdash/.github/workflows/zizmor.yml
T
wehub-resource-sync b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
chore: import upstream snapshot with attribution
2026-07-13 12:23:53 +08:00

94 lines
2.9 KiB
YAML

name: zizmor
# Always runs on PRs so the "Require code scanning results" ruleset rule
# always has a SARIF to inspect. Real analysis only runs when workflow files
# changed; otherwise we upload an empty SARIF so locale-only / code-only PRs
# aren't blocked waiting for a check that never reports.
on:
push:
branches: [main]
pull_request:
branches: [main]
permissions: {}
jobs:
zizmor:
name: Run zizmor
runs-on: ubuntu-latest
permissions:
security-events: write # upload SARIF to code scanning
contents: read
actions: read
pull-requests: read # dorny/paths-filter calls the PRs API on pull_request events
steps:
- name: Checkout
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Detect workflow changes
id: changes
if: github.event_name == 'pull_request'
uses: dorny/paths-filter@7b450fff21473bca461d4b92ce414b9d0420d706 # v4.0.2
with:
filters: |
workflows:
- '.github/workflows/**'
- '.github/actions/**'
- '.github/zizmor.yml'
- name: Decide whether to analyze
id: decide
env:
EVENT_NAME: ${{ github.event_name }}
CHANGED: ${{ steps.changes.outputs.workflows }}
run: |
if [ "$EVENT_NAME" != "pull_request" ] || [ "$CHANGED" = "true" ]; then
echo "analyze=true" >> "$GITHUB_OUTPUT"
else
echo "analyze=false" >> "$GITHUB_OUTPUT"
fi
- name: Run zizmor
if: steps.decide.outputs.analyze == 'true'
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
with:
# Pin the tool version (the action defaults to `latest`) so a new
# zizmor release can't surface findings that block unrelated PRs.
version: "1.26.1"
# When skipped, upload an empty SARIF so the ruleset rule passes.
- name: Write empty SARIF
if: steps.decide.outputs.analyze != 'true'
run: |
cat > zizmor.sarif <<'EOF'
{
"version": "2.1.0",
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
"runs": [
{
"tool": {
"driver": {
"name": "zizmor",
"semanticVersion": "0.0.0",
"rules": []
}
},
"results": [],
"automationDetails": {
"id": "zizmor/"
}
}
]
}
EOF
- name: Upload empty SARIF
if: steps.decide.outputs.analyze != 'true'
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: zizmor.sarif
category: zizmor