Thank you Doctor Zizmor!

hynek · Oct 31, 2024 · 8c260a5 · 8c260a5
1 parent 0b4828b
commit 8c260a5
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 8 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -35,6 +35,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: ${{ matrix.python-version }}
@@ -43,8 +44,9 @@ jobs:
       - run: python -Im pip install tox
 
       - name: Determine Python version for tox
+        env:
+          V: ${{ matrix.python-version }}
         run: |
-          V=${{ matrix.python-version }}
           if [[ "$V" = pypy-* ]]; then
             V=$(echo $V | tr -d .-)
           else
@@ -53,14 +55,16 @@ jobs:
 
           echo TOX_PYTHON=$V >>$GITHUB_ENV
 
-      - run: python -Im tox run -f ${{ env.TOX_PYTHON }}
+      - run: python -Im tox run -f $TOX_PYTHON
 
   system-package:
     runs-on: ubuntu-latest
     name: Install and test with system package of Argon2
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version-file: .python-version-default
@@ -82,6 +86,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
       - uses: hynek/build-and-inspect-python-package@v2
         id: baipp
 
@@ -91,7 +96,9 @@ jobs:
           python-version: "3.x"  # use the one that baipp used
 
       # Smoke-check the wheel against argon2-cffi.
-      - run: python -Im pip install ${{ steps.baipp.outputs.dist }}/*.whl
+      - run: python -Im pip install $DIST/*.whl
+        env:
+          DIST: ${{ steps.baipp.outputs.dist }}
       - run: python -Im pip install --no-deps git+https://github.com/hynek/argon2-cffi.git
       - run: python -Im argon2 -n 1 -t 1 -m 8 -p 1
 
@@ -107,6 +114,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           cache: pip
@@ -127,6 +135,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           cache: pip

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -2,11 +2,6 @@
 name: CodeQL
 
 on:
-  push:
-    branches: [main]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [main]
   schedule:
     - cron: "30 22 * * 4"
 
@@ -30,11 +25,16 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
           languages: ${{ matrix.language }}
 
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
diff --git a/.github/workflows/wheels.yml b/.github/workflows/wheels.yml
@@ -29,6 +29,7 @@ jobs:
           submodules: recursive
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
 
       - name: Set up QEMU
         if: runner.os == 'Linux'

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,38 @@
+# https://github.com/woodruffw/zizmor
+name: GitHub Actions Security Analysis with Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["*"]
+
+permissions:
+  contents: read
+
+
+jobs:
+  zizmor:
+    name: Zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - name: Setup Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+      - name: Get zizmor
+        run: cargo install zizmor
+      - name: Run zizmor
+        run: zizmor --format sarif . > results.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          # Path to SARIF file relative to the root of the repository
+          sarif_file: results.sarif
+          # Optional category for the results
+          # Used to differentiate multiple results for one commit
+          category: zizmor