Merge pull request #199 from AliYmn/158

bckohan · web-flow · commit 65e803c45063 · 2025-03-15T14:50:41.000-08:00
Add Zizmor security workflow to enhance project security posture
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -47,6 +47,8 @@ jobs:
       TEST_DJANGO_VERSION: ${{ matrix.django-version }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v5
         id: sp
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,6 +40,8 @@ jobs:
       RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -60,6 +60,8 @@ jobs:
       TEST_DJANGO_VERSION: ${{ matrix.django-version }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -123,6 +125,8 @@ jobs:
       TEST_DJANGO_VERSION: ${{ matrix.django-version }}
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -180,6 +184,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -257,6 +263,8 @@ jobs:
 
       steps:
         - uses: actions/checkout@v4
+          with:
+            persist-credentials: false
         - name: Set up Python ${{ matrix.python-version }}
           uses: actions/setup-python@v5
           id: sp
@@ -314,6 +322,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -374,6 +384,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -437,6 +449,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -506,6 +520,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -565,6 +581,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -632,6 +650,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -700,6 +720,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       id: sp
@@ -771,6 +793,8 @@ jobs:
         with:
           detached: true
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         id: sp
       - name: Install uv
diff --git a/.github/workflows/update_coc.yml b/.github/workflows/update_coc.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Fetch CODE_OF_CONDUCT.md from django-commons
         run: |
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,51 @@
+name: Zizmor
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+  schedule:
+    # Run weekly
+    - cron: '0 0 * * 0'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor-analysis:
+    name: Run Zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Rust
+        uses: actions-rust-lang/setup-rust-toolchain@v1
+
+      - name: Install Zizmor
+        run: |
+          cargo install zizmor
+
+      - name: Run Zizmor analysis
+        run: |
+          zizmor --format sarif .github/workflows/ > results.sarif
+
+      - name: Upload analysis results
+        uses: actions/upload-artifact@v4
+        with:
+          name: zizmor-results
+          path: results.sarif
+          retention-days: 7
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
diff --git a/SECURITY.md b/SECURITY.md
@@ -1,6 +1,7 @@
 # Security Policy
 
 [![CodeQL](https://github.com/django-commons/django-typer/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/django-commons/django-typer/actions/workflows/github-code-scanning/codeql?query=branch:main)
+[![Zizmor](https://github.com/django-commons/django-typer/actions/workflows/zizmor.yml/badge.svg?branch=main)](https://woodruffw.github.io/zizmor)
 [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/django-commons/django-typer/badge)](https://securityscorecards.dev/viewer/?uri=github.com/django-commons/django-typer)
 
 ## Supported Versions
