59 lines
1.8 KiB
YAML
59 lines
1.8 KiB
YAML
name: Workflow Checks
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- ".github/workflows/**"
|
|
- ".github/actions/**"
|
|
- ".github/zizmor.yml"
|
|
- ".github/actionlint.yaml"
|
|
pull_request:
|
|
paths:
|
|
- ".github/workflows/**"
|
|
- ".github/actions/**"
|
|
- ".github/zizmor.yml"
|
|
- ".github/actionlint.yaml"
|
|
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
actionlint:
|
|
name: Actionlint
|
|
runs-on: warp-ubuntu-latest-x64-2x
|
|
permissions:
|
|
contents: read
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Run actionlint
|
|
uses: docker://rhysd/actionlint:1.7.12@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667
|
|
|
|
zizmor:
|
|
name: Zizmor
|
|
# Uploads SARIF to the Security tab, which requires GitHub code scanning to be
|
|
# enabled on the repository. Set the ENABLE_WORKFLOW_SECURITY_SCAN repository
|
|
# variable to 'false' to skip this job where code scanning isn't available;
|
|
# leave it unset (the default) to run the scan.
|
|
if: ${{ vars.ENABLE_WORKFLOW_SECURITY_SCAN != 'false' }}
|
|
runs-on: warp-ubuntu-latest-x64-2x
|
|
permissions:
|
|
security-events: write # Upload SARIF to GitHub Security tab
|
|
contents: read # Read workflow files for analysis
|
|
actions: read # Read workflow run metadata
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Run zizmor
|
|
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
|