Skip to content

Commit 4729803

Browse files
committed
[DEVOPS-917] configure for zizmor
1 parent 4beae35 commit 4729803

8 files changed

Lines changed: 99 additions & 13 deletions

File tree

.github/dependabot.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ version: 2
77
updates:
88
- package-ecosystem: "github-actions"
99
directory: "/"
10-
schedule:
11-
interval: "monthly"
1210
target-branch: "develop"
11+
schedule:
12+
interval: "weekly"
13+
cooldown:
14+
default-days: 4

.github/workflows/issue_to_jira.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -4,10 +4,18 @@ on:
44
issues:
55
types: [opened]
66

7+
permissions: {}
8+
79
jobs:
810
call-workflow-create-jira-issue:
9-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@main
10-
secrets: inherit
11+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-issue_to_jira.yml@v2
12+
permissions:
13+
contents: read
14+
issues: write
1115
with:
1216
project-key: 'GEOPY'
1317
components: '[{"name": "curve-apps"}]'
18+
secrets:
19+
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
20+
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}
21+
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
Lines changed: 11 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,18 @@
11
name: Add JIRA issue summary
22

33
on:
4-
pull_request_target:
4+
pull_request:
55
types: [opened]
66

7+
permissions: {}
8+
79
jobs:
810
call-workflow-add-jira-issue-summary:
9-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@main
10-
secrets: inherit
11+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-jira-pr_add_jira_summary.yml@v2
12+
permissions:
13+
contents: read
14+
pull-requests: write
15+
secrets:
16+
JIRA_BASE_URL: ${{ secrets.JIRA_BASE_URL }}
17+
JIRA_USER_EMAIL: ${{ secrets.JIRA_USER_EMAIL }}
18+
JIRA_API_TOKEN: ${{ secrets.JIRA_API_TOKEN }}

.github/workflows/python_analysis.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,21 +17,29 @@ on:
1717
- feature/**
1818
- hotfix/**
1919

20+
permissions: {}
21+
2022
concurrency:
2123
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
2224
cancel-in-progress: true
2325

2426
jobs:
2527
call-workflow-static-analysis:
2628
name: Static analysis
27-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@main
29+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-static_analysis.yml@v2
30+
permissions:
31+
contents: read
32+
pull-requests: read
2833
with:
2934
package-manager: 'conda'
3035
app-name: 'curve_apps'
3136
python-version: '3.10'
3237
call-workflow-pytest:
3338
name: Pytest
34-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@main
39+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-pytest.yml@v2
40+
permissions:
41+
contents: read
42+
pull-requests: read
3543
with:
3644
package-manager: 'conda'
3745
python-versions: '["3.10", "3.11", "3.12"]'

.github/workflows/python_deploy_dev.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,14 +5,19 @@ on:
55
tags:
66
- 'v*' # Push events to every version tag (eg. v1.0.0)
77

8+
permissions: {}
9+
810
concurrency:
911
group: ${{ github.workflow }}-${{ github.ref || github.run_id }}
1012
cancel-in-progress: true
1113

1214
jobs:
1315
call-workflow-conda-publish:
1416
name: Publish development conda package on JFrog Artifactory
15-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@main
17+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_rattler_package.yml@v2
18+
permissions:
19+
id-token: write
20+
contents: write
1621
with:
1722
package-name: 'curve-apps'
1823
python-version: '3.10'
@@ -24,7 +29,10 @@ jobs:
2429
JFROG_ARTIFACTORY_TOKEN: ${{ secrets.JFROG_ARTIFACTORY_TOKEN }}
2530
call-workflow-pypi-publish:
2631
name: Publish development pypi package (JFrog Artifactory, TestPyPI)
27-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@main
32+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-publish_pypi_package.yml@v2
33+
permissions:
34+
id-token: write
35+
contents: write
2836
with:
2937
package-manager: 'poetry'
3038
package-name: 'curve-apps'

.github/workflows/python_deploy_prod.yml

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ on:
1919
type: boolean
2020
default: true
2121

22+
permissions: {}
23+
2224
concurrency:
2325
group: ${{ github.workflow }}-${{ github.event.release.tag_name || github.event.inputs.release-tag || github.run_id }}
2426
cancel-in-progress: true
@@ -27,7 +29,10 @@ jobs:
2729
call-workflow-conda-release:
2830
name: Publish production Conda package on JFrog Artifactory
2931
if: ${{ github.event_name == 'release' || github.event.inputs.publish-conda == 'true' }}
30-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@main
32+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_conda_assets.yml@v2
33+
permissions:
34+
id-token: write
35+
contents: write
3136
with:
3237
virtual-repo-names: '["public-noremote-conda-prod"]'
3338
release-tag: ${{ github.event.release.tag_name || github.event.inputs.release-tag }}
@@ -37,7 +42,10 @@ jobs:
3742
call-workflow-pypi-release:
3843
name: Publish production PyPI package (JFrog Artifactory, PyPI)
3944
if: ${{ github.event_name == 'release' || github.event.inputs.publish-pypi == 'true' }}
40-
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@main
45+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-python-release_pypi_assets.yml@v2
46+
permissions:
47+
id-token: write
48+
contents: write
4149
with:
4250
package-name: 'curve-apps'
4351
virtual-repo-names: '["public-pypi-prod", "pypi"]'
Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,43 @@
1+
name: Security Scan
2+
3+
on:
4+
pull_request:
5+
types: [opened, synchronize, reopened, ready_for_review]
6+
branches:
7+
- develop
8+
- main
9+
- release/**
10+
- feature/**
11+
- hotfix/**
12+
push:
13+
branches:
14+
- develop
15+
- main
16+
- release/**
17+
- feature/**
18+
- hotfix/**
19+
20+
permissions: {}
21+
22+
concurrency:
23+
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
24+
cancel-in-progress: true
25+
26+
jobs:
27+
call-workflow-zizmor-annotate:
28+
name: Zizmor analysis (advanced security)
29+
if: ${{ github.event_name != 'pull_request' }}
30+
permissions:
31+
security-events: write
32+
contents: read
33+
actions: read
34+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-advanced-security.yml@v2
35+
36+
call-workflow-zizmor-advanced-security:
37+
name: Zizmor analysis (annotate)
38+
if: ${{ github.event_name == 'pull_request' }}
39+
permissions:
40+
checks: write
41+
contents: read
42+
actions: read
43+
uses: MiraGeoscience/CI-tools/.github/workflows/reusable-zizmor-annotate.yml@v2

zizmor.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
rules:

0 commit comments

Comments
 (0)