Skip to content

ci: Add GitHub Actions security linting with zizmor #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
nbrieussel merged 7 commits into from
Mar 22, 2026
Merged

ci: Add GitHub Actions security linting with zizmor #3

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
13417a4
ci: add GitHub Actions security linting with zizmor
nbrieussel Mar 22, 2026
cf01068
fix: pin actionlint action to specific commit SHA for security compli…
nbrieussel Mar 22, 2026
dcd8f35
fix: pin zizmor-action to specific commit SHA for security compliance
nbrieussel Mar 22, 2026
64db39f
fix: pin actions/checkout to specific commit SHA for security compliance
nbrieussel Mar 22, 2026
8402e03
fix: disable credential persistence in checkout to prevent artifact l…
nbrieussel Mar 22, 2026
d549411
fix: apply principle of least privilege with job-level permissions
nbrieussel Mar 22, 2026
af4399a
fix: update actions to latest versions and pin SHAs
nbrieussel Mar 22, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions .githooks/pre-push
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,16 +9,16 @@ changed_workflows=$(git diff --cached --name-only --diff-filter=ACM | grep -E '\
if [ -n "$changed_workflows" ]; then
echo "🔍 Linting GitHub Actions workflows..."

# Check actionlint
if ! command -v actionlint &> /dev/null; then
echo "⚠️ actionlint not found. Installing via mise..."
mise install actionlint
fi

# Lint the changed workflows
if actionlint -oneline $changed_workflows; then
echo "✅ Workflows lint passed!"
echo "✅ Actionlint passed!"
else
echo "❌ Workflow lint failed. Fix the errors above and try again."
echo "❌ Actionlint failed. Fix the errors above and try again."
exit 1
fi
else
Expand Down
21 changes: 19 additions & 2 deletions .github/workflows/lint-workflows.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,9 +10,26 @@ on:

jobs:
actionlint:
permissions:
contents: read
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run actionlint
uses: raven-actions/actionlint@v2
uses: raven-actions/actionlint@205b530c5d9fa8f44ae9ed59f341a0db994aa6f8 # v2.1.2

zizmor:
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false

- name: Run zizmor security check
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
3 changes: 2 additions & 1 deletion .vscode/settings.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
"git add": true,
"git commit": true,
"gh": true,
"git push": true
"git push": true,
"mise": true
}
}
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,4 +16,4 @@ Cette commande installe toutes les dépendances du projet définies dans `mise.t
.githooks/install.sh
```

Cela configure les git hooks locaux pour automatiser les vérifications avant les commits/pushes.
Cela configure les git hooks locaux pour automatiser les vérifications avant les commits/pushes.