Skip to content

feat: check actions security action #725

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 66 commits into
base: main
Choose a base branch
from
Draft

feat: check actions security action #725

wants to merge 66 commits into from
+1,090 −578

Conversation

moe-ad
Copy link
Contributor

@moe-ad moe-ad commented Mar 6, 2025
edited
Loading

Closes #692. Closes #680.

@moe-ad moe-ad added this to the ansys/actions@v9 milestone Mar 6, 2025
@moe-ad moe-ad self-assigned this Mar 6, 2025
@ansys-reviewer-bot
Copy link
Contributor

Thanks for opening a Pull Request. If you want to perform a review write a comment saying:

@ansys-reviewer-bot review

@moe-ad moe-ad marked this pull request as ready for review March 6, 2025 17:23
@moe-ad moe-ad requested a review from a team as a code owner March 6, 2025 17:23
@moe-ad moe-ad marked this pull request as draft March 6, 2025 17:24
@moe-ad moe-ad marked this pull request as ready for review March 7, 2025 13:35
@moe-ad moe-ad marked this pull request as draft March 7, 2025 13:36
@moe-ad moe-ad marked this pull request as ready for review March 7, 2025 13:37
@github-actions github-actions bot added enhancement General improvements to existing features ci Pipelines maintenance related labels Mar 7, 2025
@moe-ad moe-ad marked this pull request as draft March 7, 2025 14:00
@moe-ad moe-ad force-pushed the feat/check-actions-security-action branch from 9e8f1ed to 18da686 Compare March 7, 2025 15:23
@SMoraisAnsys
Copy link
Contributor

@SMoraisAnsys to buttress your point, I also can't see what works for us currently wrt the current methods of ignoring things in zizmor. What do you think about parsing the zizmor's output and overriding with a 0 exit code if the ffl are satisfied:

  • All raised issues are due to unpinned-uses audit rule &&
  • The unpinned-uses issues are due to ansys/actions

Otherwise we might need to request a feature which allows fine-grained ignore rules controls, the maintainer seems very responsive.

I think contacting the maintainer is a better option since it would also benefit other organization implementing their own composite actions. Moreover, in my experience, parsing the output of an app can be a real pain if the output / format changes even just a bit. I know that people in the open source world are more aware of breaking changes but I would avoid it if possible.

@moe-ad moe-ad mentioned this pull request Mar 24, 2025
Closed
2 tasks
@moe-ad
Copy link
Contributor Author

moe-ad commented Mar 24, 2025
edited
Loading

Feature requested:woodruffw/zizmor#626

Edit: we should also keep track of woodruffw/zizmor#558

moe-ad
moe-ad commented Apr 1, 2025
View reviewed changes
moe-ad
moe-ad commented Apr 1, 2025
View reviewed changes
@moe-ad moe-ad temporarily deployed to no-dependabot April 17, 2025 11:19 — with GitHub Actions Inactive
@moe-ad moe-ad temporarily deployed to no-dependabot April 17, 2025 12:18 — with GitHub Actions Inactive
@moe-ad moe-ad temporarily deployed to no-dependabot April 17, 2025 13:33 — with GitHub Actions Inactive
@moe-ad moe-ad temporarily deployed to no-dependabot April 17, 2025 13:35 — with GitHub Actions Inactive
@moe-ad moe-ad force-pushed the feat/check-actions-security-action branch from 3b0bcf9 to 7df0d5f Compare April 17, 2025 13:41
@moe-ad moe-ad temporarily deployed to no-dependabot April 17, 2025 13:41 — with GitHub Actions Inactive
@moe-ad moe-ad temporarily deployed to no-dependabot April 17, 2025 13:44 — with GitHub Actions Inactive
@moe-ad moe-ad temporarily deployed to no-dependabot April 18, 2025 08:25 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jorgepiloto jorgepiloto jorgepiloto left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@moe-ad moe-ad

Labels
ci Pipelines maintenance related enhancement General improvements to existing features
Projects
None yet
Milestone
ansys/actions@v10
Development

Successfully merging this pull request may close these issues.

 Implement zizmor to secure our actions Add analysis tool for Github Actions.
4 participants
@moe-ad @SMoraisAnsys @jorgepiloto @pyansys-ci-bot