Skip to content

Commit 469cb5d

Browse files
committed
Harden GitHub Actions workflows with zizmor
1 parent f004e11 commit 469cb5d

5 files changed

Lines changed: 54 additions & 0 deletions

File tree

.github/dependabot.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: "github-actions"
4+
directory: "/"
5+
schedule:
6+
interval: "monthly"
7+
cooldown:
8+
default-days: 30

.github/workflows/galaxy_social.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ on:
1313
description: "The number of the pull request to create preview for"
1414
required: true
1515

16+
permissions: {}
17+
1618
jobs:
1719
manage_content:
1820
name: Manage Content

.github/workflows/validate_social_plugin.yml

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,12 +9,18 @@ on:
99
- ".github/workflows/galaxy_social.yml"
1010
- "README.md"
1111

12+
permissions: {}
13+
1214
jobs:
1315
validate:
1416
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
1519
steps:
1620
- name: Checkout Code
1721
uses: actions/checkout@v4
22+
with:
23+
persist-credentials: false
1824

1925
- name: Set up Python
2026
uses: actions/setup-python@v5

.github/workflows/zizmor.yml

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
name: GitHub Actions Security Analysis with zizmor
2+
3+
on:
4+
push:
5+
paths:
6+
- '.github/workflows/*'
7+
pull_request:
8+
paths:
9+
- '.github/workflows/*'
10+
11+
permissions: {}
12+
13+
jobs:
14+
zizmor:
15+
name: Run zizmor
16+
runs-on: ubuntu-latest
17+
permissions:
18+
contents: read
19+
actions: read
20+
steps:
21+
- name: Checkout repository
22+
uses: actions/checkout@v6
23+
with:
24+
persist-credentials: false
25+
26+
- name: Run zizmor
27+
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
28+
with:
29+
advanced-security: false

zizmor.yml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
rules:
2+
unpinned-uses:
3+
config:
4+
policies:
5+
'*': ref-pin
6+
dangerous-triggers:
7+
ignore:
8+
- galaxy_social.yml
9+
- validate_social_plugin.yml

0 commit comments

Comments
 (0)