diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 38fa1ee..9424151 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -47,6 +47,8 @@ jobs: TEST_DJANGO_VERSION: ${{ matrix.django-version }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index d19f3fc..af0eb0e 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -40,6 +40,8 @@ jobs: RELEASE_VERSION: ${{ steps.set-package.outputs.release_version }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python uses: actions/setup-python@v5 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 17d58c9..f71f405 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -60,6 +60,8 @@ jobs: TEST_DJANGO_VERSION: ${{ matrix.django-version }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -123,6 +125,8 @@ jobs: TEST_DJANGO_VERSION: ${{ matrix.django-version }} steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -180,6 +184,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -257,6 +263,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -314,6 +322,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -374,6 +384,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -437,6 +449,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -506,6 +520,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -565,6 +581,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -632,6 +650,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -700,6 +720,8 @@ jobs: steps: - uses: actions/checkout@v4 + with: + persist-credentials: false - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v5 id: sp @@ -771,6 +793,8 @@ jobs: with: detached: true - uses: actions/checkout@v4 + with: + persist-credentials: false - uses: actions/setup-python@v5 id: sp - name: Install uv diff --git a/.github/workflows/update_coc.yml b/.github/workflows/update_coc.yml index 2f9aba0..4b0e661 100644 --- a/.github/workflows/update_coc.yml +++ b/.github/workflows/update_coc.yml @@ -21,6 +21,8 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@v4 + with: + persist-credentials: false - name: Fetch CODE_OF_CONDUCT.md from django-commons run: | diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..90300c3 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,51 @@ +name: Zizmor + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + # Run weekly + - cron: '0 0 * * 0' + workflow_dispatch: + +permissions: + contents: read + +jobs: + zizmor-analysis: + name: Run Zizmor + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Set up Rust + uses: actions-rust-lang/setup-rust-toolchain@v1 + + - name: Install Zizmor + run: | + cargo install zizmor + + - name: Run Zizmor analysis + run: | + zizmor --format sarif .github/workflows/ > results.sarif + + - name: Upload analysis results + uses: actions/upload-artifact@v4 + with: + name: zizmor-results + path: results.sarif + retention-days: 7 + + - name: Upload to code-scanning + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif diff --git a/SECURITY.md b/SECURITY.md index e1c9e24..dab55a0 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,6 +1,7 @@ # Security Policy [![CodeQL](https://github.com/django-commons/django-typer/actions/workflows/github-code-scanning/codeql/badge.svg?branch=main)](https://github.com/django-commons/django-typer/actions/workflows/github-code-scanning/codeql?query=branch:main) +[![Zizmor](https://github.com/django-commons/django-typer/actions/workflows/zizmor.yml/badge.svg?branch=main)](https://woodruffw.github.io/zizmor) [![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/django-commons/django-typer/badge)](https://securityscorecards.dev/viewer/?uri=github.com/django-commons/django-typer) ## Supported Versions