From 5651df741e45295400d35f9df7f6956cd80cc3c4 Mon Sep 17 00:00:00 2001 From: Kalle Fagerberg Date: Tue, 3 Mar 2026 14:23:00 +0100 Subject: [PATCH] Add zizmor --- .github/dependabot.yml | 21 +++++++++++++++++++++ .github/workflows/github-actions.yml | 27 +++++++++++++++++++++++++++ .github/workflows/reuse.yml | 13 +++++++++---- .github/workflows/reviewdog.yml | 12 +++++++++--- 4 files changed, 66 insertions(+), 7 deletions(-) create mode 100644 .github/dependabot.yml create mode 100644 .github/workflows/github-actions.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..2802572 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,21 @@ +# SPDX-FileCopyrightText: 2023 Risk.Ident GmbH +# +# SPDX-License-Identifier: CC0-1.0 + +# See GitHub's documentation for more information on this file: +# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates +version: 2 +updates: + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" + cooldown: + default-days: 7 + + - package-ecosystem: "gomod" + directory: "/" + schedule: + interval: "daily" + cooldown: + default-days: 7 diff --git a/.github/workflows/github-actions.yml b/.github/workflows/github-actions.yml new file mode 100644 index 0000000..04c77fe --- /dev/null +++ b/.github/workflows/github-actions.yml @@ -0,0 +1,27 @@ +# SPDX-FileCopyrightText: 2026 Risk.Ident GmbH +# +# SPDX-License-Identifier: CC0-1.0 + +name: github-actions +on: + push: + branches: + - "main" + pull_request: + +permissions: {} + +jobs: + zizmor: + name: Run zizmor 🌈 + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0 diff --git a/.github/workflows/reuse.yml b/.github/workflows/reuse.yml index bf05b32..af9b665 100644 --- a/.github/workflows/reuse.yml +++ b/.github/workflows/reuse.yml @@ -1,4 +1,3 @@ ---- # SPDX-FileCopyrightText: 2022 Free Software Foundation Europe e.V. # # SPDX-License-Identifier: CC0-1.0 @@ -14,7 +13,13 @@ on: jobs: test: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@v3 - - name: REUSE Compliance Check - uses: fsfe/reuse-action@v1 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: REUSE Compliance Check + uses: fsfe/reuse-action@676e2d560c9a403aa252096d99fcab3e1132b0f5 # v6.0.0 diff --git a/.github/workflows/reviewdog.yml b/.github/workflows/reviewdog.yml index a7d8374..79d8b1d 100644 --- a/.github/workflows/reviewdog.yml +++ b/.github/workflows/reviewdog.yml @@ -9,14 +9,20 @@ jobs: remark-lint: name: runner / remark-lint runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write steps: - - uses: actions/checkout@v3 + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: install remark presets run: npm install shell: bash - name: remark-lint - uses: reviewdog/action-remark-lint@v5 + uses: reviewdog/action-remark-lint@82225f7db5b4a3caaca3052733b6800fa7d109b0 # v5.18.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} reporter: github-pr-check -