b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
94 lines
2.9 KiB
YAML
94 lines
2.9 KiB
YAML
name: zizmor
|
|
|
|
# Always runs on PRs so the "Require code scanning results" ruleset rule
|
|
# always has a SARIF to inspect. Real analysis only runs when workflow files
|
|
# changed; otherwise we upload an empty SARIF so locale-only / code-only PRs
|
|
# aren't blocked waiting for a check that never reports.
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
branches: [main]
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
zizmor:
|
|
name: Run zizmor
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
security-events: write # upload SARIF to code scanning
|
|
contents: read
|
|
actions: read
|
|
pull-requests: read # dorny/paths-filter calls the PRs API on pull_request events
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Detect workflow changes
|
|
id: changes
|
|
if: github.event_name == 'pull_request'
|
|
uses: dorny/paths-filter@7b450fff21473bca461d4b92ce414b9d0420d706 # v4.0.2
|
|
with:
|
|
filters: |
|
|
workflows:
|
|
- '.github/workflows/**'
|
|
- '.github/actions/**'
|
|
- '.github/zizmor.yml'
|
|
|
|
- name: Decide whether to analyze
|
|
id: decide
|
|
env:
|
|
EVENT_NAME: ${{ github.event_name }}
|
|
CHANGED: ${{ steps.changes.outputs.workflows }}
|
|
run: |
|
|
if [ "$EVENT_NAME" != "pull_request" ] || [ "$CHANGED" = "true" ]; then
|
|
echo "analyze=true" >> "$GITHUB_OUTPUT"
|
|
else
|
|
echo "analyze=false" >> "$GITHUB_OUTPUT"
|
|
fi
|
|
|
|
- name: Run zizmor
|
|
if: steps.decide.outputs.analyze == 'true'
|
|
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
|
|
with:
|
|
# Pin the tool version (the action defaults to `latest`) so a new
|
|
# zizmor release can't surface findings that block unrelated PRs.
|
|
version: "1.26.1"
|
|
|
|
# When skipped, upload an empty SARIF so the ruleset rule passes.
|
|
- name: Write empty SARIF
|
|
if: steps.decide.outputs.analyze != 'true'
|
|
run: |
|
|
cat > zizmor.sarif <<'EOF'
|
|
{
|
|
"version": "2.1.0",
|
|
"$schema": "https://json.schemastore.org/sarif-2.1.0.json",
|
|
"runs": [
|
|
{
|
|
"tool": {
|
|
"driver": {
|
|
"name": "zizmor",
|
|
"semanticVersion": "0.0.0",
|
|
"rules": []
|
|
}
|
|
},
|
|
"results": [],
|
|
"automationDetails": {
|
|
"id": "zizmor/"
|
|
}
|
|
}
|
|
]
|
|
}
|
|
EOF
|
|
|
|
- name: Upload empty SARIF
|
|
if: steps.decide.outputs.analyze != 'true'
|
|
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
|
|
with:
|
|
sarif_file: zizmor.sarif
|
|
category: zizmor
|