diff --git a/.github/workflows/contracts.yml b/.github/workflows/contracts.yml index a5be105a..2da56828 100644 --- a/.github/workflows/contracts.yml +++ b/.github/workflows/contracts.yml @@ -25,6 +25,7 @@ jobs: foundry: if: github.event.pull_request.draft == false runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout sources @@ -93,6 +94,7 @@ jobs: hardhat: if: github.event.pull_request.draft == false runs-on: ubuntu-latest + permissions: {} steps: - name: Checkout sources diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml index 17938d92..c695ef58 100644 --- a/.github/workflows/docker-release.yml +++ b/.github/workflows/docker-release.yml @@ -8,8 +8,9 @@ jobs: build: name: Clone, Build, Publish runs-on: ubuntu-latest - steps: + permissions: {} + steps: - name: Check out repository uses: actions/checkout@v4 with: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..b7d06343 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,37 @@ +name: zizmor GA Security Analysis + +on: + push: + branches: ["main"] + pull_request: + branches: ["**"] + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + # required for workflows in private repositories + contents: read + actions: read + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1 + + - name: Run zizmor + run: uvx zizmor --format sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor