Cutlery/immich
1
0
Fork 1
mirror of https://github.com/immich-app/immich.git synced 2025-10-31 02:27:08 -04:00
Code Issues Packages Projects Releases Wiki Activity

feat: static analysis job for gha workflows (#17688)

Browse Source 
* fix: set persist-credentials explicitly for checkout

https://woodruffw.github.io/zizmor/audits/#artipacked

* fix: minimize permissions scope for workflows

https://woodruffw.github.io/zizmor/audits/#excessive-permissions

* fix: remove potential template injections

https://woodruffw.github.io/zizmor/audits/#template-injection

* fix: only pass needed secrets in workflow_call

https://woodruffw.github.io/zizmor/audits/#secrets-inherit

* fix: push perm for single-arch build jobs

I hadn't realised these push to the registry too :x

* chore: fix formatting

* fix: $

* fix: retag job quoting

* feat: static analysis job for gha workflows

* chore: fix formatting

* fix: clear last zizmor checks

* fix: broken merge

---------

Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com>
This commit is contained in:
bo0tzz 2025-04-23 17:49:06 +02:00 committed by GitHub
parent 59fa8fbd0e
commit 64000d9d76
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
8 changed files with 46 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.github/workflows/docker.yml vendored
View File

@ -224,7 +224,7 @@ jobs:
BUILD_SOURCE_COMMIT=${{ github.sha }} BUILD_SOURCE_COMMIT=${{ github.sha }}
- name: Export digest - name: Export digest
run: | run: | # zizmor: ignore[template-injection]
mkdir -p ${{ runner.temp }}/digests mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}" digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}" touch "${{ runner.temp }}/digests/${digest#sha256:}"
@ -426,7 +426,7 @@ jobs:
BUILD_SOURCE_COMMIT=${{ github.sha }} BUILD_SOURCE_COMMIT=${{ github.sha }}
- name: Export digest - name: Export digest
run: | run: | # zizmor: ignore[template-injection]
mkdir -p ${{ runner.temp }}/digests mkdir -p ${{ runner.temp }}/digests
digest="${{ steps.build.outputs.digest }}" digest="${{ steps.build.outputs.digest }}"
touch "${{ runner.temp }}/digests/${digest#sha256:}" touch "${{ runner.temp }}/digests/${digest#sha256:}"
@ -535,6 +535,7 @@ jobs:
run: exit 1 run: exit 1
- name: All jobs passed or skipped - name: All jobs passed or skipped
if: ${{ !(contains(needs.*.result, 'failure')) }} if: ${{ !(contains(needs.*.result, 'failure')) }}
# zizmor: ignore[template-injection]
run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}" run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"
success-check-ml: success-check-ml:
@ -549,4 +550,5 @@ jobs:
run: exit 1 run: exit 1
- name: All jobs passed or skipped - name: All jobs passed or skipped
if: ${{ !(contains(needs.*.result, 'failure')) }} if: ${{ !(contains(needs.*.result, 'failure')) }}
# zizmor: ignore[template-injection]
run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}" run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"

14
.github/workflows/docs-deploy.yml vendored
View File

@ -1,6 +1,6 @@
name: Docs deploy name: Docs deploy
on: on:
workflow_run: workflow_run: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
workflows: ['Docs build'] workflows: ['Docs build']
types: types:
- completed - completed
@ -115,22 +115,22 @@ jobs:
- name: Load parameters - name: Load parameters
id: parameters id: parameters
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
env:
PARAM_JSON: ${{ needs.checks.outputs.parameters }}
with: with:
script: | script: |
const json = `${{ needs.checks.outputs.parameters }}`; const parameters = JSON.parse(process.env.PARAM_JSON);
const parameters = JSON.parse(json);
core.setOutput("event", parameters.event); core.setOutput("event", parameters.event);
core.setOutput("name", parameters.name); core.setOutput("name", parameters.name);
core.setOutput("shouldDeploy", parameters.shouldDeploy); core.setOutput("shouldDeploy", parameters.shouldDeploy);
- run: |
echo "Starting docs deployment for ${{ steps.parameters.outputs.event }} ${{ steps.parameters.outputs.name }}"
- name: Download artifact - name: Download artifact
uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7 uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7
env:
ARTIFACT_JSON: ${{ needs.checks.outputs.artifact }}
with: with:
script: | script: |
let artifact = ${{ needs.checks.outputs.artifact }}; let artifact = JSON.parse(process.env.ARTIFACT_JSON);
let download = await github.rest.actions.downloadArtifact({ let download = await github.rest.actions.downloadArtifact({
owner: context.repo.owner, owner: context.repo.owner,
repo: context.repo.repo, repo: context.repo.repo,

2
.github/workflows/docs-destroy.yml vendored
View File

@ -1,6 +1,6 @@
name: Docs destroy name: Docs destroy
on: on:
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
types: [closed] types: [closed]
permissions: {} permissions: {}

2
.github/workflows/pr-label-validation.yml vendored
View File

@ -1,7 +1,7 @@
name: PR Label Validation name: PR Label Validation
on: on:
pull_request_target: pull_request_target: # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
types: [opened, labeled, unlabeled, synchronize] types: [opened, labeled, unlabeled, synchronize]
permissions: {} permissions: {}

2
.github/workflows/pr-labeler.yml vendored
View File

@ -1,6 +1,6 @@
name: 'Pull Request Labeler' name: 'Pull Request Labeler'
on: on:
- pull_request_target - pull_request_target # zizmor: ignore[dangerous-triggers] no attacker inputs are used here
permissions: {} permissions: {}

5
.github/workflows/prepare-release.yml vendored
View File

@ -47,7 +47,10 @@ jobs:
uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5 uses: astral-sh/setup-uv@d4b2f3b6ecc6e67c4457f6d3e41ec42d3d0fcb86 # v5
- name: Bump version - name: Bump version
run: misc/release/pump-version.sh -s "${{ inputs.serverBump }}" -m "${{ inputs.mobileBump }}" env:
SERVER_BUMP: ${{ inputs.serverBump }}
MOBILE_BUMP: ${{ inputs.mobileBump }}
run: misc/release/pump-version.sh -s "${SERVER_BUMP}" -m "${MOBILE_BUMP}"
- name: Commit and tag - name: Commit and tag
id: push-tag id: push-tag

27
.github/workflows/static_analysis.yml vendored
View File

@ -95,3 +95,30 @@ jobs:
- name: Run dart custom_lint - name: Run dart custom_lint
run: dart run custom_lint run: dart run custom_lint
working-directory: ./mobile working-directory: ./mobile
zizmor:
name: zizmor
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Install the latest version of uv
uses: astral-sh/setup-uv@v5
- name: Run zizmor 🌈
run: uvx zizmor --format=sarif . > results.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Upload SARIF file
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
category: zizmor

1
.github/workflows/weblate-lock.yml vendored
View File

@ -57,4 +57,5 @@ jobs:
run: exit 1 run: exit 1
- name: All jobs passed or skipped - name: All jobs passed or skipped
if: ${{ !(contains(needs.*.result, 'failure')) }} if: ${{ !(contains(needs.*.result, 'failure')) }}
# zizmor: ignore[template-injection]
run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}" run: echo "All jobs passed or skipped" && echo "${{ toJSON(needs.*.result) }}"