From 8cfde5e26f444b7fcf8c4ceefb7297f8034d3acc Mon Sep 17 00:00:00 2001 From: wadackel Date: Sun, 17 May 2026 10:57:15 +0900 Subject: [PATCH] ci: add zizmor audit and consolidate gh-actions checks Introduce zizmor 1.25.2 (mise) as a static analyzer for GitHub Actions workflows and composite actions, alongside the existing actionlint. Consolidate both into a single audit-actions.yaml workflow with two parallel jobs to share trigger / permissions / concurrency declarations. Also add persist-credentials: false to every actions/checkout step that lacked it, resolving the artipacked findings zizmor raised at baseline. Co-Authored-By: Claude Opus 4.7 (1M context) --- .../{actionlint.yaml => audit-actions.yaml} | 20 ++++++++++++++++++- .github/workflows/ci.yaml | 3 +++ .github/workflows/e2e.yaml | 2 ++ mise.toml | 1 + 4 files changed, 25 insertions(+), 1 deletion(-) rename .github/workflows/{actionlint.yaml => audit-actions.yaml} (59%) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/audit-actions.yaml similarity index 59% rename from .github/workflows/actionlint.yaml rename to .github/workflows/audit-actions.yaml index 0406ea1..290d17a 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/audit-actions.yaml @@ -1,4 +1,4 @@ -name: Lint GitHub Actions +name: Audit GitHub Actions on: pull_request: @@ -8,12 +8,14 @@ on: - reopened paths: - '.github/**' + - 'action.yaml' push: branches: - main - 'releases/*' paths: - '.github/**' + - 'action.yaml' permissions: contents: read @@ -27,6 +29,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup with: @@ -34,3 +38,17 @@ jobs: - name: Run actionlint run: actionlint -color + + zizmor: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: ./.github/actions/setup + with: + install: 'false' + + - name: Run zizmor + run: zizmor . diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 724cebc..da1bda4 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -25,6 +25,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - uses: ./.github/actions/setup @@ -38,6 +39,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml index 30429d3..3b6863b 100644 --- a/.github/workflows/e2e.yaml +++ b/.github/workflows/e2e.yaml @@ -35,6 +35,8 @@ jobs: contents: read steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: ./.github/actions/setup diff --git a/mise.toml b/mise.toml index 383ad48..239f74c 100644 --- a/mise.toml +++ b/mise.toml @@ -2,3 +2,4 @@ actionlint = "1.7.12" node = "24.15.0" pnpm = "11.0.9" +zizmor = "1.25.2"