name: Workflow Checks on: push: branches: [main] paths: - ".github/workflows/**" - ".github/actions/**" - ".github/zizmor.yml" - ".github/actionlint.yaml" pull_request: paths: - ".github/workflows/**" - ".github/actions/**" - ".github/zizmor.yml" - ".github/actionlint.yaml" permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true jobs: actionlint: name: Actionlint runs-on: warp-ubuntu-latest-x64-2x permissions: contents: read steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run actionlint uses: docker://rhysd/actionlint:1.7.12@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667 zizmor: name: Zizmor # Uploads SARIF to the Security tab, which requires GitHub code scanning to be # enabled on the repository. Set the ENABLE_WORKFLOW_SECURITY_SCAN repository # variable to 'false' to skip this job where code scanning isn't available; # leave it unset (the default) to run the scan. if: ${{ vars.ENABLE_WORKFLOW_SECURITY_SCAN != 'false' }} runs-on: warp-ubuntu-latest-x64-2x permissions: security-events: write # Upload SARIF to GitHub Security tab contents: read # Read workflow files for analysis actions: read # Read workflow run metadata steps: - name: Checkout repository uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Run zizmor uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7