From 0683cf6ba126933cb3f41e72a5d55893d49408dc Mon Sep 17 00:00:00 2001 From: Daniel Hast Date: Sun, 22 Feb 2026 18:40:05 -0500 Subject: [PATCH] ci: add Zizmor workflow and apply recommendations Add a workflow that runs Zizmor, a static analysis tool for GitHub Actions, on pushes to main and PRs. Also apply Zizmor's recommendations: * Add cooldown timer for Dependabot updates. * Deny unnecessary permissions to workflows. * Add concurrency limits to cancel redundant workflow runs. * Pin `actions/checkout` to the latest commit hash. * Set `persist-credentials: false` for `actions/checkout`. * Replace template expansions with environment variables in code contexts. * Pin Alpine container image to non-`latest` tag. --- .github/dependabot.yml | 2 ++ .github/workflows/build-and-test.yml | 52 +++++++++++++++++++++------- .github/workflows/zizmor.yml | 28 +++++++++++++++ 3 files changed, 70 insertions(+), 12 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 5e1954bf..61569a7b 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -5,3 +5,5 @@ updates: schedule: interval: daily target-branch: main + cooldown: + default-days: 7 diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml index 923044ef..0f4ae148 100644 --- a/.github/workflows/build-and-test.yml +++ b/.github/workflows/build-and-test.yml @@ -6,6 +6,13 @@ on: schedule: - cron: '0 2 * * *' +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + jobs: build-ubuntu-gcc: runs-on: ubuntu-latest @@ -13,43 +20,64 @@ jobs: matrix: version: [14] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Setting up gcc version + env: + gcc_version: ${{ matrix.version }} run: | - sudo update-alternatives --install /usr/bin/g++ g++ /usr/bin/g++-${{ matrix.version }} 100 - sudo update-alternatives --install /usr/bin/gcc gcc /usr/bin/gcc-${{ matrix.version }} 100 + sudo update-alternatives --install /usr/bin/g++ g++ "/usr/bin/g++-${gcc_version}" 100 + sudo update-alternatives --install /usr/bin/gcc gcc "/usr/bin/gcc-${gcc_version}" 100 - name: Build run: make test + build-ubuntu-clang: runs-on: ubuntu-latest strategy: matrix: version: [19, 20] steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install dependencies - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends clang-19 clang-20 + run: | + sudo apt-get update + sudo apt-get install -y --no-install-recommends clang-19 clang-20 - name: Setting up clang version + env: + clang_version: ${{ matrix.version }} run: | - sudo update-alternatives --install /usr/bin/clang++ clang++ /usr/bin/clang++-${{ matrix.version }} 100 - sudo update-alternatives --install /usr/bin/clang clang /usr/bin/clang-${{ matrix.version }} 100 + sudo update-alternatives --install /usr/bin/clang++ clang++ "/usr/bin/clang++-${clang_version}" 100 + sudo update-alternatives --install /usr/bin/clang clang "/usr/bin/clang-${clang_version}" 100 - name: Build run: CC=clang CXX=clang++ make test + build-musl: runs-on: ubuntu-latest container: - image: alpine:latest + image: alpine:3 steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install dependencies - run: apk update && apk add build-base python3 + run: | + apk update + apk add build-base python3 - name: Build run: make test + build-ubuntu-gcc-aarch64: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install dependencies - run: sudo apt-get update && sudo apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libgcc-s1-arm64-cross cpp-aarch64-linux-gnu + run: | + sudo apt-get update + sudo apt-get install -y --no-install-recommends gcc-aarch64-linux-gnu g++-aarch64-linux-gnu libgcc-s1-arm64-cross cpp-aarch64-linux-gnu - name: Build run: CC=aarch64-linux-gnu-gcc CXX=aarch64-linux-gnu-gcc++ make CONFIG_NATIVE=false diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..109a9b6b --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,28 @@ +name: GitHub Actions Security Analysis with zizmor 🌈 + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + cancel-in-progress: true + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-24.04 + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0