Skip to content

Commit f0b0a7b

Browse files
crazy-maxcrazy-max
authored
Merge pull request #441 from crazy-max/zizmor
zizmor workflow
2 parents b9e00c5 + e6770dd commit f0b0a7b

File tree

8 files changed

+79
-63
lines changed

8 files changed

+79
-63
lines changed

.github/dependabot.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,8 +5,8 @@ updates:
55
directory: "/"
66
schedule:
77
interval: "daily"
8-
time: "08:00"
9-
timezone: "Europe/Paris"
8+
cooldown:
9+
default-days: 2
1010
groups:
1111
docker-dependencies:
1212
patterns:
@@ -20,8 +20,8 @@ updates:
2020
directory: "/"
2121
schedule:
2222
interval: "daily"
23-
time: "08:00"
24-
timezone: "Europe/Paris"
23+
cooldown:
24+
default-days: 2
2525
labels:
2626
- "kind/dependencies"
2727
- "bot"

.github/workflows/build.yml

Lines changed: 23 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
87
permissions:
98
contents: read
109

@@ -31,19 +30,19 @@ jobs:
3130
steps:
3231
-
3332
name: Checkout
34-
uses: actions/checkout@v6
33+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3534
-
3635
name: Validate matrix
3736
id: validate
38-
uses: docker/bake-action/subaction/matrix@v6
37+
uses: docker/bake-action/subaction/matrix@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
3938
with:
4039
target: validate
4140
env:
4241
GOLANGCI_LINT_MULTIPLATFORM: 1
4342
-
4443
name: Artifact matrix
4544
id: artifact
46-
uses: docker/bake-action/subaction/matrix@v6
45+
uses: docker/bake-action/subaction/matrix@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
4746
with:
4847
target: artifact-all
4948
fields: platforms
@@ -59,13 +58,13 @@ jobs:
5958
steps:
6059
-
6160
name: Checkout
62-
uses: actions/checkout@v6
61+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
6362
-
6463
name: Set up Docker Buildx
65-
uses: docker/setup-buildx-action@v3
64+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
6665
-
6766
name: Validate
68-
uses: docker/bake-action@v6
67+
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
6968
with:
7069
source: .
7170
targets: ${{ matrix.target }}
@@ -87,18 +86,18 @@ jobs:
8786
echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
8887
-
8988
name: Checkout
90-
uses: actions/checkout@v6
89+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
9190
with:
9291
fetch-depth: 0
9392
-
9493
name: Set up QEMU
95-
uses: docker/setup-qemu-action@v4
94+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
9695
-
9796
name: Set up Docker Buildx
98-
uses: docker/setup-buildx-action@v3
97+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
9998
-
10099
name: Build
101-
uses: docker/bake-action@v6
100+
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
102101
with:
103102
source: .
104103
targets: artifact
@@ -122,7 +121,7 @@ jobs:
122121
tree -nh ${{ env.DESTDIR }}
123122
-
124123
name: Upload artifact
125-
uses: actions/upload-artifact@v6
124+
uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
126125
with:
127126
name: swarm-cronjob-${{ env.PLATFORM_PAIR }}
128127
path: ${{ env.DESTDIR }}
@@ -138,27 +137,27 @@ jobs:
138137
steps:
139138
-
140139
name: Checkout
141-
uses: actions/checkout@v6
140+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
142141
-
143142
name: Download artifacts
144-
uses: actions/download-artifact@v7
143+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
145144
with:
146145
path: ${{ env.DESTDIR }}
147146
pattern: swarm-cronjob-*
148147
merge-multiple: true
149148
-
150149
name: Set up Docker Buildx
151-
uses: docker/setup-buildx-action@v3
150+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
152151
-
153152
name: Build
154-
uses: docker/bake-action@v6
153+
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
155154
with:
156155
source: .
157156
targets: release
158157
provenance: false
159158
-
160159
name: GitHub Release
161-
uses: softprops/action-gh-release@v2
160+
uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
162161
if: startsWith(github.ref, 'refs/tags/')
163162
with:
164163
draft: true
@@ -179,13 +178,13 @@ jobs:
179178
steps:
180179
-
181180
name: Checkout
182-
uses: actions/checkout@v6
181+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
183182
with:
184183
fetch-depth: 0
185184
-
186185
name: Docker meta
187186
id: meta
188-
uses: docker/metadata-action@v5
187+
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
189188
with:
190189
images: |
191190
${{ env.DOCKERHUB_SLUG }}
@@ -202,28 +201,28 @@ jobs:
202201
org.opencontainers.image.vendor=CrazyMax
203202
-
204203
name: Set up QEMU
205-
uses: docker/setup-qemu-action@v4
204+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
206205
-
207206
name: Set up Docker Buildx
208-
uses: docker/setup-buildx-action@v3
207+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
209208
-
210209
name: Login to DockerHub
211210
if: github.event_name != 'pull_request'
212-
uses: docker/login-action@v4
211+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
213212
with:
214213
username: ${{ secrets.DOCKER_USERNAME }}
215214
password: ${{ secrets.DOCKER_PASSWORD }}
216215
-
217216
name: Login to GHCR
218217
if: github.event_name != 'pull_request'
219-
uses: docker/login-action@v4
218+
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
220219
with:
221220
registry: ghcr.io
222221
username: ${{ github.repository_owner }}
223222
password: ${{ secrets.GITHUB_TOKEN }}
224223
-
225224
name: Build
226-
uses: docker/bake-action@v6
225+
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
227226
with:
228227
source: .
229228
files: |

.github/workflows/codeql.yml

Lines changed: 8 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -4,11 +4,12 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
87
permissions:
98
contents: read
109

1110
on:
11+
schedule:
12+
- cron: '0 12 * * 6'
1213
push:
1314
branches:
1415
- 'master'
@@ -17,21 +18,17 @@ on:
1718
pull_request:
1819
branches:
1920
- 'master'
20-
schedule:
21-
- cron: '0 12 * * 6'
2221

2322
jobs:
2423
codeql:
2524
runs-on: ubuntu-latest
2625
permissions:
27-
# same as global permissions
28-
contents: read
29-
# required for code scanning
30-
security-events: write
26+
contents: read # same as global permissions
27+
security-events: write # required for code scanning
3128
steps:
3229
-
3330
name: Checkout
34-
uses: actions/checkout@v6
31+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3532
with:
3633
fetch-depth: 2
3734
-
@@ -41,12 +38,12 @@ jobs:
4138
git checkout HEAD^2
4239
-
4340
name: Initialize CodeQL
44-
uses: github/codeql-action/init@v4
41+
uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
4542
with:
4643
languages: go
4744
-
4845
name: Autobuild
49-
uses: github/codeql-action/autobuild@v4
46+
uses: github/codeql-action/autobuild@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
5047
-
5148
name: Perform CodeQL Analysis
52-
uses: github/codeql-action/analyze@v4
49+
uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1

.github/workflows/docs.yml

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
87
permissions:
98
contents: read
109

@@ -23,33 +22,32 @@ jobs:
2322
publish:
2423
runs-on: ubuntu-latest
2524
permissions:
26-
# required to push to gh-pages
27-
contents: write
25+
contents: write # required to push to gh-pages
2826
steps:
2927
-
3028
name: Checkout
31-
uses: actions/checkout@v6
29+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3230
with:
3331
fetch-depth: 0
3432
-
3533
name: Set up Docker Buildx
36-
uses: docker/setup-buildx-action@v3
34+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
3735
-
3836
name: Build docs
39-
uses: docker/bake-action@v6
37+
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
4038
with:
4139
source: .
4240
provenance: false
4341
targets: docs
4442
-
4543
name: Check GitHub Pages status
46-
uses: crazy-max/ghaction-github-status@v4
44+
uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0
4745
with:
4846
pages_threshold: major_outage
4947
-
5048
name: Deploy
5149
if: github.event_name != 'pull_request'
52-
uses: crazy-max/ghaction-github-pages@v4
50+
uses: crazy-max/ghaction-github-pages@df5cc2bfa78282ded844b354faee141f06b41865 # v4.2.0
5351
with:
5452
target_branch: gh-pages
5553
build_dir: ${{ env.DESTDIR }}/site

.github/workflows/e2e.yml

Lines changed: 4 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
87
permissions:
98
contents: read
109

@@ -13,11 +12,7 @@ on:
1312
branches:
1413
- 'master'
1514
- 'v*'
16-
paths-ignore:
17-
- '**.md'
1815
pull_request:
19-
paths-ignore:
20-
- '**.md'
2116

2217
env:
2318
BUILD_TAG: 'swarm-cronjob:local'
@@ -31,16 +26,16 @@ jobs:
3126
steps:
3227
-
3328
name: Checkout
34-
uses: actions/checkout@v6
29+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3530
-
3631
name: Set up QEMU
37-
uses: docker/setup-qemu-action@v4
32+
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
3833
-
3934
name: Set up Docker Buildx
40-
uses: docker/setup-buildx-action@v3
35+
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
4136
-
4237
name: Build
43-
uses: docker/bake-action@v6
38+
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
4439
with:
4540
source: .
4641
targets: image-local

.github/workflows/labels.yml

Lines changed: 4 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,6 @@ concurrency:
44
group: ${{ github.workflow }}-${{ github.ref }}
55
cancel-in-progress: true
66

7-
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
87
permissions:
98
contents: read
109

@@ -24,16 +23,14 @@ jobs:
2423
labeler:
2524
runs-on: ubuntu-latest
2625
permissions:
27-
# same as global permissions
28-
contents: read
29-
# required to update labels
30-
issues: write
26+
contents: read # same as global permissions
27+
issues: write # required to update labels
3128
steps:
3229
-
3330
name: Checkout
34-
uses: actions/checkout@v6
31+
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3532
-
3633
name: Run Labeler
37-
uses: crazy-max/ghaction-github-labeler@v5
34+
uses: crazy-max/ghaction-github-labeler@24d110aa46a59976b8a7f35518cb7f14f434c916 # v5.3.0
3835
with:
3936
dry-run: ${{ github.event_name == 'pull_request' }}

.github/workflows/zizmor.yml

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
name: zizmor
2+
3+
concurrency:
4+
group: ${{ github.workflow }}-${{ github.ref }}
5+
cancel-in-progress: true
6+
7+
permissions:
8+
contents: read
9+
10+
on:
11+
workflow_dispatch:
12+
push:
13+
branches:
14+
- 'master'
15+
pull_request:
16+
17+
jobs:
18+
run:
19+
uses: crazy-max/.github/.github/workflows/zizmor.yml@bbd31df64ee0f097a02f12495f541f9236f18c46 # v1.2.0
20+
permissions:
21+
contents: read
22+
security-events: write
23+
with:
24+
min-severity: medium
25+
min-confidence: medium
26+
persona: pedantic

.github/zizmor.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
# https://docs.zizmor.sh/configuration/
2+
rules:
3+
secrets-outside-env:
4+
disable: true

0 commit comments

Comments
 (0)