Use zizmor to lint GitHub Actions (#544) #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Lint GitHub Actions for common security issues using zizmor. | |
| # Docs: https://woodruffw.github.io/zizmor | |
| name: lint-actions | |
| # Only run on PRs and the main branch. | |
| # Pushes to branches will only trigger a run when a PR is opened. | |
| on: | |
| pull_request: | |
| push: | |
| branches: | |
| - main | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install requirements | |
| run: python -m pip install -r env/requirements-style.txt | |
| - name: List installed packages | |
| run: python -m pip freeze | |
| - name: Lint GitHub Actions | |
| run: make check-actions | |
| env: | |
| # Set GH_TOKEN to allow zizmor to check online vulnerabilities | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} |