Skip to content

Commit 5c3b179

Browse files
antongolubantongolub
authored
ci: enable zizmor check (#1126)
1 parent 3d62660 commit 5c3b179

File tree

7 files changed

+41
-1
lines changed

7 files changed

+41
-1
lines changed

.github/workflows/codeql.yml

+2
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ on:
88
schedule:
99
- cron: '28 6 * * 3'
1010

11+
permissions: {}
12+
1113
jobs:
1214
analyze:
1315
name: Analyze (${{ matrix.language }})

.github/workflows/dev-publish.yml

+2
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,8 @@ name: Dev Publish
33
on:
44
workflow_dispatch:
55

6+
permissions: {}
7+
68
jobs:
79
build:
810
runs-on: ubuntu-latest

.github/workflows/docs.yml

+2
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@ concurrency:
88
group: 'pages'
99
cancel-in-progress: false
1010

11+
permissions: {}
12+
1113
jobs:
1214
deploy:
1315
permissions:

.github/workflows/npm-publish.yml

+2
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@ on:
55
release:
66
types: [created]
77

8+
permissions: {}
9+
810
jobs:
911
build:
1012
runs-on: ubuntu-latest

.github/workflows/osv.yml

+2
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@
1111

1212
name: OSV-Scanner
1313

14+
permissions: {}
15+
1416
on:
1517
pull_request:
1618
branches: ['main']

.github/workflows/zizmor.yml

+30
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
name: Zizmor
2+
3+
on:
4+
push:
5+
branches: ['main']
6+
pull_request:
7+
branches: ['**']
8+
9+
permissions: {}
10+
11+
jobs:
12+
zizmor:
13+
name: zizmor
14+
runs-on: ubuntu-latest
15+
permissions:
16+
contents: read
17+
actions: read
18+
steps:
19+
- name: Checkout repository
20+
uses: actions/checkout@v4
21+
with:
22+
persist-credentials: false
23+
24+
- name: Install the latest version of uv
25+
uses: astral-sh/setup-uv@v5
26+
with:
27+
enable-cache: false
28+
29+
- name: Run zizmor
30+
run: uvx zizmor@1.5.0 .github/workflows -v -p --min-severity=medium

package.json

+1-1
Original file line numberDiff line numberDiff line change
@@ -90,7 +90,7 @@
9090
"test:smoke:cjs": "node ./test/smoke/node.test.cjs",
9191
"test:smoke:mjs": "node ./test/smoke/node.test.mjs",
9292
"test:smoke:deno": "deno test ./test/smoke/deno.test.js --allow-read --allow-sys --allow-env --allow-run",
93-
"test:workflow": "zizmor .github/workflows -v -p"
93+
"test:workflow": "zizmor .github/workflows -v -p --min-severity=medium"
9494
},
9595
"devDependencies": {
9696
"@size-limit/file": "11.2.0",

0 commit comments

Comments
 (0)