diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index dc7cf6f21a28..7716bc2f225b 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -36,6 +36,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Create matrix id: platforms @@ -78,14 +80,15 @@ jobs: working-directory: ./build run: | mkdir /tmp/out - platform=${{ matrix.platform }} - platformPair=${platform//\//-} + platformPair=${PLATFORM//\//-} tar -cvzf "/tmp/out/docker-${platformPair}.tar.gz" . if [ -z "${{ matrix.use_glibc }}" ]; then echo "ARTIFACT_NAME=${{ matrix.target }}-${platformPair}" >> $GITHUB_ENV else echo "ARTIFACT_NAME=${{ matrix.target }}-${platformPair}-glibc" >> $GITHUB_ENV fi + env: + PLATFORM: ${{ matrix.platform }} - name: Upload artifacts uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 @@ -144,6 +147,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Create matrix id: platforms diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 40389f5842e3..96f185a496bd 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -49,6 +49,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 2 + persist-credentials: false # CodeQL 2.16.4's auto-build added support for multi-module repositories, # and is trying to be smart by searching for modules in every directory, # including vendor directories. If no module is found, it's creating one diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml index 758664007575..8f15cada8240 100644 --- a/.github/workflows/e2e.yml +++ b/.github/workflows/e2e.yml @@ -45,6 +45,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Update daemon.json run: | diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 1008218ebaad..e160a75ed3b7 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -63,6 +63,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: ${{ env.GOPATH }}/src/github.com/docker/cli + persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index bafacfe7d4bc..c773b6314f10 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -49,6 +49,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Generate shell: 'script --return --quiet --command "bash {0}"' @@ -75,6 +77,8 @@ jobs: - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Run shell: 'script --return --quiet --command "bash {0}"' @@ -92,6 +96,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: path: src/github.com/docker/cli + persist-credentials: false - name: Set up Go uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0 diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000000..07b1b70dc7fe --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,31 @@ +name: zizmor + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +on: + workflow_dispatch: + push: + branches: + - 'main' + - 'master' + - '[0-9]+.[0-9]+' + - '[0-9]+.x' + tags: + - 'v*' + pull_request: + +jobs: + run: + uses: crazy-max/.github/.github/workflows/zizmor.yml@9ba6e6f9450baf3b1237f8035c1fdc45932510bd # v1.8.0 + permissions: + contents: read + security-events: write + with: + min-severity: medium + min-confidence: medium + persona: pedantic