Skip to content

Add zizmor security analysis + harden workflows #179

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Seldaek wants to merge 3 commits into
base: main
Choose a base branch
from
+68 −9
Open

Add zizmor security analysis + harden workflows #179

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
7132098
Add zizmor GitHub Actions security analysis + dependabot
Seldaek May 29, 2026
71b9943
Harden workflows to pass zizmor (pedantic)
Seldaek May 29, 2026
f0ec08b
Revert builds.yml steps to shell: cmd
Seldaek May 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
cooldown:
default-days: 7
12 changes: 10 additions & 2 deletions .github/workflows/builds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@
paths-ignore:
- '**.md'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
build-and-deploy:
name: Build & deploy
Expand All @@ -22,13 +29,14 @@

steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 1

- name: Compile Composer-Setup
run: iscc src\composer.iss
shell: cmd

Check warning on line 39 in .github/workflows/builds.yml

View workflow job for this annotation

GitHub Actions / Run zizmor 🌈

misfeature 

builds.yml:39: usage of GitHub Actions misfeatures: shell defined here

- name: Build Chocolatey package
if: matrix.install == 'choco'
Expand All @@ -37,7 +45,7 @@
- name: Install Composer-Setup.exe
if: matrix.install == 'exe'
run: builds\output\Composer-Setup.dev.exe /VERYSILENT /SUPPRESSMSGBOXES /DEV=C:\composer /LOG=C:\install.txt
shell: cmd

Check warning on line 48 in .github/workflows/builds.yml

View workflow job for this annotation

GitHub Actions / Run zizmor 🌈

misfeature 

builds.yml:48: usage of GitHub Actions misfeatures: shell defined here

- name: Install Chocolatey package
if: matrix.install == 'choco'
Expand All @@ -45,7 +53,7 @@
run: choco upgrade -y composer --source .\chocolatey\local --params '"/Dev:C:\composer"' --ia '"/LOG=C:\install.txt"'

- name: Upload install log
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
with:
name: install-${{ matrix.install }}-log
path: C:\install.txt
Expand All @@ -62,7 +70,7 @@

- name: Run
run: composer --version
shell: cmd

Check warning on line 73 in .github/workflows/builds.yml

View workflow job for this annotation

GitHub Actions / Run zizmor 🌈

misfeature 

builds.yml:73: usage of GitHub Actions misfeatures: shell defined here

- name: Run in bash
run: composer --version
Expand Down
22 changes: 15 additions & 7 deletions .github/workflows/tests.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,13 @@ on:
paths-ignore:
- '**.md'

permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

jobs:
ini-tests:
name: Ini Tests
Expand All @@ -28,12 +35,13 @@ jobs:

steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
fetch-depth: 1

- name: Setup PHP
uses: shivammathur/setup-php@v2
uses: shivammathur/setup-php@7c071dfe9dc99bdf297fa79cb49ea005b9fcadbc # 2.37.1
with:
php-version: ${{ matrix.php-versions }}
extensions: none
Expand All @@ -42,28 +50,28 @@ jobs:
run: iscc src\composer.iss

- name: Create log directory
run: mkdir ${{ env.LOG_DIR }}
run: mkdir %LOG_DIR%

- name: Setup no-extensions
run: php .github\workflows\ini-util.php --no-extensions

- name: Test no-extensions
run: ${{ env.SETUP_CMD }} /LOG=${{ env.LOG_DIR }}/no-extensions.txt
run: %SETUP_CMD% /LOG=%LOG_DIR%/no-extensions.txt

- name: Setup no-ini
run: php .github\workflows\ini-util.php --no-ini

- name: Test no-ini
run: ${{ env.SETUP_CMD }} /LOG=${{ env.LOG_DIR }}/no-ini.txt
run: %SETUP_CMD% /LOG=%LOG_DIR%/no-ini.txt

- name: Setup wrong-extdir
run: php .github\workflows\ini-util.php --wrong-extdir

- name: Test wrong-extdir
run: ${{ env.SETUP_CMD }} /LOG=${{ env.LOG_DIR }}/wrong-extdir.txt
run: %SETUP_CMD% /LOG=%LOG_DIR%/wrong-extdir.txt

- name: Upload install logs
uses: actions/upload-artifact@v2
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
if: ${{ always() }}
with:
name: install-${{ matrix.php-versions }}-log
Expand Down
35 changes: 35 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches:
- main
paths:
- '.github/**.yml'
pull_request:
paths:
- '.github/**.yml'

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

permissions:
contents: read

jobs:
zizmor:
name: Run zizmor 🌈
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
advanced-security: false
annotations: true
persona: 'pedantic'
Loading