diff --git a/.github/dependabot.yml b/.github/dependabot.yml index ee3b5fd..36aaaa3 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -10,5 +10,10 @@ updates: - "/.github/actions/*" schedule: interval: weekly + cooldown: + # Wait this many days before opening an update PR for a freshly + # published release, so a compromised release has time to be caught + # and yanked before it is auto-adopted (zizmor dependabot-cooldown). + default-days: 7 # Dependabot updates both tag-pinned and SHA-pinned action # references. PRs from Dependabot follow normal review. diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index e3f9d5e..e5b00b5 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -188,3 +188,20 @@ jobs: printf 'Version: %s\n' "$VERSION" printf 'Date: %s\n' "$RELEASE_DATE" printf '%s\n' "$NOTES" + + workflow-security: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + persist-credentials: false + - uses: ./.github/actions/setup-nix + - name: Audit workflows with zizmor + env: + GH_TOKEN: ${{ github.token }} + run: nix run .#zizmor -- .github/ + - name: Verify action pins and version comments with pinact + env: + GITHUB_TOKEN: ${{ github.token }} + run: nix run .#pinact -- run --check