From 64000d9d766048c3f8267d9b111c02a0a3a8c42f Mon Sep 17 00:00:00 2001
From: bo0tzz <git@bo0tzz.me>
Date: Wed, 23 Apr 2025 17:49:06 +0200
Subject: [PATCH] feat: static analysis job for gha workflows (#17688)
* fix: set persist-credentials explicitly for checkout
https://woodruffw.github.io/zizmor/audits/#artipacked
* fix: minimize permissions scope for workflows
https://woodruffw.github.io/zizmor/audits/#excessive-permissions
* fix: remove potential template injections
https://woodruffw.github.io/zizmor/audits/#template-injection
* fix: only pass needed secrets in workflow_call
https://woodruffw.github.io/zizmor/audits/#secrets-inherit
* fix: push perm for single-arch build jobs
I hadn't realised these push to the registry too :x
* chore: fix formatting
* fix: $
* fix: retag job quoting
* feat: static analysis job for gha workflows
* chore: fix formatting
* fix: clear last zizmor checks
* fix: broken merge
---------
Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
---
.github/workflows/docker.yml | 6 +++--
.github/workflows/docs-deploy.yml | 14 ++++++------
.github/workflows/docs-destroy.yml | 2 +-
.github/workflows/pr-label-validation.yml | 2 +-
.github/workflows/pr-labeler.yml | 2 +-
.github/workflows/prepare-release.yml | 5 ++++-
.github/workflows/static_analysis.yml | 27 +++++++++++++++++++++++
.github/workflows/weblate-lock.yml | 1 +
8 files changed, 46 insertions(+), 13 deletions(-)
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index a78d3c25dc..9a65b05ace 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -224,7 +224,7 @@ jobs:
BUILD_SOURCE_COMMIT=${{ github.sha }}
- name: Export digest
- run: |
+ run: | # zizmor: ignore[template-injection]
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
@@ -426,7 +426,7 @@ jobs:
BUILD_SOURCE_COMMIT=${{ github.sha }}
- name: Export digest
- run: |
+ run: | # zizmor: ignore[template-injection]
mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}"
@@ -535,6 +535,7 @@ jobs:
run: exit 1
- name: All jobs passed or skipped
if: ${{ !(contains(needs.*.result, 'failure')) }}
+ # zizmor: ignore[template-injection]
run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
success-check-ml:
@@ -549,4 +550,5 @@ jobs:
run: exit 1
- name: All jobs passed or skipped
if: ${{ !(contains(needs.*.result, 'failure')) }}
+ # zizmor: ignore[template-injection]
run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml
index 10277a0c5e..fd12423fd9 100644
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -1,6 +1,6 @@
name: Docs deploy
on:
- workflow_run:
+ workflow_run: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
workflows: ['Docs build']
types:
- completed
@@ -115,22 +115,22 @@ jobs:
- name: Load parameters
id: parameters
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+ env:
+ PARAM_JSON: ${{ needs.checks.outputs.parameters }}
with:
script: |
- const json = `${{ needs.checks.outputs.parameters }}`;
- const parameters = JSON.parse(json);
+ const parameters = JSON.parse(process.env.PARAM_JSON);
core.setOutput("event", parameters.event);
core.setOutput("name", parameters.name);
core.setOutput("shouldDeploy", parameters.shouldDeploy);
- - run: |
- echo "Starting docs deployment for ${{ steps.parameters.outputs.event }} ${{ steps.parameters.outputs.name }}"
-
- name: Download artifact
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
+ env:
+ ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
with:
script: |
- let artifact = ${{ needs.checks.outputs.artifact }};
+ let artifact = JSON.parse(process.env.ARTIFACT_JSON);
let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner,
repo: context.repo.repo,
diff --git a/.github/workflows/docs-destroy.yml b/.github/workflows/docs-destroy.yml
index 9d1e4b6612..0da258de09 100644
--- a/.github/workflows/docs-destroy.yml
+++ b/.github/workflows/docs-destroy.yml
@@ -1,6 +1,6 @@
name: Docs destroy
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
types: [closed]
permissions: {}
diff --git a/.github/workflows/pr-label-validation.yml b/.github/workflows/pr-label-validation.yml
index 8d34597a08..c5e5131920 100644
--- a/.github/workflows/pr-label-validation.yml
+++ b/.github/workflows/pr-label-validation.yml
@@ -1,7 +1,7 @@
name: PR Label Validation
on:
- pull_request_target:
+ pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
types: [opened, labeled, unlabeled, synchronize]
permissions: {}
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
index 5704f4275f..75c6836ab9 100644
--- a/.github/workflows/pr-labeler.yml
+++ b/.github/workflows/pr-labeler.yml
@@ -1,6 +1,6 @@
name: 'Pull Request Labeler'
on:
- - pull_request_target
+ - pull_request_target # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
permissions: {}
diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml
index dc171597e9..145418d72b 100644
--- a/.github/workflows/prepare-release.yml
+++ b/.github/workflows/prepare-release.yml
@@ -47,7 +47,10 @@ jobs:
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
- name: Bump version
- run: misc/release/pump-version.sh -s "${{ inputs.serverBump }}" -m "${{ inputs.mobileBump }}"
+ env:
+ SERVER_BUMP: ${{ inputs.serverBump }}
+ MOBILE_BUMP: ${{ inputs.mobileBump }}
+ run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}"
- name: Commit and tag
id: push-tag
diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml
index 1a3c11d3d5..3efbc25de3 100644
--- a/.github/workflows/static_analysis.yml
+++ b/.github/workflows/static_analysis.yml
@@ -95,3 +95,30 @@ jobs:
- name: Run dart custom_lint
run: dart run custom_lint
working-directory: ./mobile
+
+ zizmor:
+ name: zizmor
+ runs-on: ubuntu-latest
+ permissions:
+ security-events: write
+ contents: read
+ actions: read
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@v4
+ with:
+ persist-credentials: false
+
+ - name: Install the latest version of uv
+ uses: astral-sh/setup-uv@v5
+
+ - name: Run zizmor 🌈
+ run: uvx zizmor --format=sarif . > results.sarif
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+ - name: Upload SARIF file
+ uses: github/codeql-action/upload-sarif@v3
+ with:
+ sarif_file: results.sarif
+ category: zizmor
diff --git a/.github/workflows/weblate-lock.yml b/.github/workflows/weblate-lock.yml
index 2aef5c472a..2d644955bc 100644
--- a/.github/workflows/weblate-lock.yml
+++ b/.github/workflows/weblate-lock.yml
@@ -57,4 +57,5 @@ jobs:
run: exit 1
- name: All jobs passed or skipped
if: ${{ !(contains(needs.*.result, 'failure')) }}
+ # zizmor: ignore[template-injection]
run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"