Skip to content

ci(deps): bump the github-actions group across 1 directory with 13 up… #260

ci(deps): bump the github-actions group across 1 directory with 13 up…

ci(deps): bump the github-actions group across 1 directory with 13 up… #260

Workflow file for this run

name: CI Guardrails
on:
push:
branches:
- 'main'
pull_request:
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true
permissions: {}
jobs:
zizmor:
name: Analyze (Zizmor)
runs-on: ubuntu-latest
permissions:
security-events: write # Required to create code scanning alerts
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: false # needed for Zizmor's use of Docker
egress-policy: block
allowed-endpoints: >
api.github.com:443
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7
poutine:
name: Analyze (Poutine)
runs-on: ubuntu-latest
permissions:
security-events: write # Required to create code scanning alerts
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
release-assets.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Load pinned tool versions
id: versions
run: |
poutine="$(jq -r '.poutine' tools/github-workflow-tools/versions.json)"
echo "poutine=${poutine}" >> "$GITHUB_OUTPUT"
- name: Install poutine
env:
VERSION: ${{ steps.versions.outputs.poutine }}
run: |
curl -sSfL "https://github.com/boostsecurityio/poutine/releases/download/v${VERSION}/poutine_Linux_x86_64.tar.gz" \
| tar -xzf - -C /usr/local/bin poutine
- name: Generate poutine SARIF
run: |
# poutine emits an all-zero GUID that fails GitHub's UUID validation;
# replace it with a valid RFC-4122 nil-equivalent.
poutine analyze_local "${GITHUB_WORKSPACE}" -f sarif \
| jq '(.runs[].tool.driver.supportedTaxonomies[] | select(.guid == "00000000-0000-0000-0000-000000000000")).guid = "00000000-0000-1000-8000-000000000000"' \
> poutine_results.sarif
- name: Upload poutine SARIF file
uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
with:
sarif_file: poutine_results.sarif
trufflehog:
name: Analyze (TruffleHog)
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: false # needed for TruffleHog's use of Docker
egress-policy: block
allowed-endpoints: >
ghcr.io:443
github.com:443
pkg-containers.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Load pinned tool versions
id: versions
run: |
trufflehog="$(jq -r '.trufflehog' tools/github-workflow-tools/versions.json)"
echo "trufflehog=${trufflehog}" >> "$GITHUB_OUTPUT"
- name: Run TruffleHog
uses: trufflesecurity/trufflehog@f446421baf832d6356c42c1743d99abff52ff334 # v3.95.7
with:
extra_args: --results=verified,unknown
version: ${{ steps.versions.outputs.trufflehog }}
pom-consistency:
name: Analyze (POM Consistency)
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
raw.githubusercontent.com:443
api.github.com:443
files.pythonhosted.org:443
github.com:443
pypi.org:443
release-assets.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Set up uv
uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0
- name: Check plugin version consistency
run: uv run --project tools/github-workflow-tools --group python-common python3 .github/scripts/check-pom-consistency.py
hook-coverage:
name: Validate Hook Coverage Mapping
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Validate hook coverage mapping
run: python3 .github/scripts/check-hook-coverage.py
hook-revisions-frozen:
name: Validate Hook Revisions Are Frozen
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
with:
disable-sudo-and-containers: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout repository
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false
- name: Validate hook revisions are frozen
run: python3 .github/scripts/check-hook-revisions-frozen.py