diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index a78d3c25dc..9a65b05ace 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -224,7 +224,7 @@ jobs: BUILD_SOURCE_COMMIT=${{ github.sha }} - name: Export digest - run: | + run: | # zizmor: ignore[template-injection] mkdir -p ${{ runner.temp }}/digests digest="${{ steps.build.outputs.digest }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" @@ -426,7 +426,7 @@ jobs: BUILD_SOURCE_COMMIT=${{ github.sha }} - name: Export digest - run: | + run: | # zizmor: ignore[template-injection] mkdir -p ${{ runner.temp }}/digests digest="${{ steps.build.outputs.digest }}" touch "${{ runner.temp }}/digests/${digest#sha256:}" @@ -535,6 +535,7 @@ jobs: run: exit 1 - name: All jobs passed or skipped if: ${{ !(contains(needs.*.result, 'failure')) }} + # zizmor: ignore[template-injection] run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}" success-check-ml: @@ -549,4 +550,5 @@ jobs: run: exit 1 - name: All jobs passed or skipped if: ${{ !(contains(needs.*.result, 'failure')) }} + # zizmor: ignore[template-injection] run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}" diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index 10277a0c5e..fd12423fd9 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -1,6 +1,6 @@ name: Docs deploy on: - workflow_run: + workflow_run: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here workflows: ['Docs build'] types: - completed @@ -115,22 +115,22 @@ jobs: - name: Load parameters id: parameters uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 + env: + PARAM_JSON: ${{ needs.checks.outputs.parameters }} with: script: | - const json = `${{ needs.checks.outputs.parameters }}`; - const parameters = JSON.parse(json); + const parameters = JSON.parse(process.env.PARAM_JSON); core.setOutput("event", parameters.event); core.setOutput("name", parameters.name); core.setOutput("shouldDeploy", parameters.shouldDeploy); - - run: | - echo "Starting docs deployment for ${{ steps.parameters.outputs.event }} ${{ steps.parameters.outputs.name }}" - - name: Download artifact uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 + env: + ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }} with: script: | - let artifact = ${{ needs.checks.outputs.artifact }}; + let artifact = JSON.parse(process.env.ARTIFACT_JSON); let download = await github.rest.actions.downloadArtifact({ owner: context.repo.owner, repo: context.repo.repo, diff --git a/.github/workflows/docs-destroy.yml b/.github/workflows/docs-destroy.yml index 9d1e4b6612..0da258de09 100644 --- a/.github/workflows/docs-destroy.yml +++ b/.github/workflows/docs-destroy.yml @@ -1,6 +1,6 @@ name: Docs destroy on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here types: [closed] permissions: {} diff --git a/.github/workflows/pr-label-validation.yml b/.github/workflows/pr-label-validation.yml index 8d34597a08..c5e5131920 100644 --- a/.github/workflows/pr-label-validation.yml +++ b/.github/workflows/pr-label-validation.yml @@ -1,7 +1,7 @@ name: PR Label Validation on: - pull_request_target: + pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here types: [opened, labeled, unlabeled, synchronize] permissions: {} diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml index 5704f4275f..75c6836ab9 100644 --- a/.github/workflows/pr-labeler.yml +++ b/.github/workflows/pr-labeler.yml @@ -1,6 +1,6 @@ name: 'Pull Request Labeler' on: - - pull_request_target + - pull_request_target # zizmor: ignore[dangerous-triggers] no attacker inputs are used here permissions: {} diff --git a/.github/workflows/prepare-release.yml b/.github/workflows/prepare-release.yml index dc171597e9..145418d72b 100644 --- a/.github/workflows/prepare-release.yml +++ b/.github/workflows/prepare-release.yml @@ -47,7 +47,10 @@ jobs: uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 - name: Bump version - run: misc/release/pump-version.sh -s "${{ inputs.serverBump }}" -m "${{ inputs.mobileBump }}" + env: + SERVER_BUMP: ${{ inputs.serverBump }} + MOBILE_BUMP: ${{ inputs.mobileBump }} + run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}" - name: Commit and tag id: push-tag diff --git a/.github/workflows/static_analysis.yml b/.github/workflows/static_analysis.yml index 1a3c11d3d5..3efbc25de3 100644 --- a/.github/workflows/static_analysis.yml +++ b/.github/workflows/static_analysis.yml @@ -95,3 +95,30 @@ jobs: - name: Run dart custom_lint run: dart run custom_lint working-directory: ./mobile + + zizmor: + name: zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + actions: read + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + persist-credentials: false + + - name: Install the latest version of uv + uses: astral-sh/setup-uv@v5 + + - name: Run zizmor 🌈 + run: uvx zizmor --format=sarif . > results.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF file + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: results.sarif + category: zizmor diff --git a/.github/workflows/weblate-lock.yml b/.github/workflows/weblate-lock.yml index 2aef5c472a..2d644955bc 100644 --- a/.github/workflows/weblate-lock.yml +++ b/.github/workflows/weblate-lock.yml @@ -57,4 +57,5 @@ jobs: run: exit 1 - name: All jobs passed or skipped if: ${{ !(contains(needs.*.result, 'failure')) }} + # zizmor: ignore[template-injection] run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"