ci: add zizmor for github actions security (#7822)

> zizmor is a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups. https://woodruffw.github.io/zizmor/ EDIT: what is the right PR-syntax for this? --------- Co-authored-by: Boshen <[email protected]>
oxc-project · Dec 13, 2024 · b24a636 · b24a636
1 parent 4448b63
commit b24a636
Show file tree

Hide file tree

Showing 12 changed files with 89 additions and 24 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -113,7 +113,7 @@ jobs:
           save-cache: ${{ github.ref_name == 'main' }}
       - run: rustup target add wasm32-wasip1-threads
       - uses: bytecodealliance/actions/wasmtime/setup@v1
-      - run: cargo test --target wasm32-wasip1-threads ${{ env.TEST_FLAGS }}
+      - run: cargo test --target wasm32-wasip1-threads ${TEST_FLAGS}
       - run: git diff --exit-code # Must commit everything
 
   test-wasm32-unknown-unknown:

diff --git a/.github/workflows/ci_security.yml b/.github/workflows/ci_security.yml
@@ -0,0 +1,40 @@
+name: GitHub Actions Security Analysis
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - ".github/workflows/**"
+  push:
+    branches:
+      - main
+      - "renovate/**"
+    paths:
+      - ".github/workflows/**"
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -1,7 +1,7 @@
 name: Check PR
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
       - opened
       - edited

diff --git a/.github/workflows/prepare_release_oxlint.yml b/.github/workflows/prepare_release_oxlint.yml
@@ -10,11 +10,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  pull-requests: write
-  contents: write
-  actions: write
-
 jobs:
   prepare:
     name: Prepare Release Oxlint
@@ -28,6 +23,9 @@ jobs:
     needs: prepare
     name: Trigger Ecosystem CI
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - uses: taiki-e/checkout-action@v1
 
@@ -50,6 +48,8 @@ jobs:
     needs: prepare
     name: Update oxc.rs
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - uses: taiki-e/checkout-action@v1
       - uses: benc-uk/workflow-dispatch@v1

diff --git a/.github/workflows/release_crates.yml b/.github/workflows/release_crates.yml
@@ -8,10 +8,6 @@ on:
     paths:
       - crates/oxc/Cargo.toml
 
-permissions:
-  contents: write
-  actions: write
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -20,10 +16,14 @@ jobs:
   release:
     name: Release crates
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.PAT }} # required for git tag push
+          persist-credentials: false
 
       - uses: Boshen/setup-rust@main
         with:
@@ -41,6 +41,8 @@ jobs:
           echo "TAG=$(cat ./target/OXC_VERSION)" >> $GITHUB_OUTPUT
 
       - name: Tag and Push
+        env:
+          TAG_NAME: ${{ steps.run.outputs.TAG }}
         run: |
-          git tag ${{ steps.run.outputs.TAG }}
-          git push origin tag ${{ steps.run.outputs.TAG }}
+          git tag ${TAG_NAME}
+          git push origin tag ${TAG_NAME}
diff --git a/.github/workflows/release_napi_parser.yml b/.github/workflows/release_napi_parser.yml
@@ -35,9 +35,12 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
-          echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
+          echo "version=${VERSION_TYPE}" >> $GITHUB_ENV
 
   build:
     needs: check

diff --git a/.github/workflows/release_napi_transform.yml b/.github/workflows/release_napi_transform.yml
@@ -35,9 +35,12 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
-          echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_NUMBER})"
+          echo "version=${VERSION_NUMBER}" >> $GITHUB_ENV
 
   build:
     needs: check

diff --git a/.github/workflows/release_oxlint.yml b/.github/workflows/release_oxlint.yml
@@ -32,8 +32,10 @@ jobs:
 
       - name: Print version
         if: steps.version.outputs.changed == 'true'
+        env:
+          NEW_VERSION: ${{ steps.version.outputs.version }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }}"
+          echo "Version change found! New version: ${NEW_VERSION}"
 
   build:
     needs: check
@@ -150,6 +152,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # for changelog
+          persist-credentials: false
 
       - uses: Boshen/setup-rust@main
         with:
@@ -227,10 +230,12 @@ jobs:
     container: ${{ matrix.container }}
     steps:
       - name: Test
+        env:
+          OXLINT_VERSION: ${{ needs.check.outputs.version}}
         run: |
           touch test.js
           ldd --version || true
-          npx oxlint@${{ needs.check.outputs.version }} ./test.js
+          npx oxlint@${OXLINT_VERSION} ./test.js
 
   eslint-plugin-oxlint:
     needs: [check, publish]

diff --git a/.github/workflows/release_types.yml b/.github/workflows/release_types.yml
@@ -32,8 +32,11 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
 
   build:
     needs: check

diff --git a/.github/workflows/release_vscode.yml b/.github/workflows/release_vscode.yml
@@ -36,9 +36,12 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
-          echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
+          echo "version=${VERSION_NUMBER}" >> $GITHUB_ENV
 
   build:
     needs: check

diff --git a/.github/workflows/release_wasm.yml b/.github/workflows/release_wasm.yml
@@ -32,8 +32,11 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
 
   build:
     needs: check

diff --git a/.github/workflows/reusable_prepare_release.yml b/.github/workflows/reusable_prepare_release.yml
@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: Boshen/setup-rust@main
         with:
@@ -35,9 +36,11 @@ jobs:
 
       - name: Run
         id: run
+        env:
+          RELEASE_NAME: ${{ inputs.name }}
         run: |
           cargo ck
-          cargo release-oxc update --release ${{ inputs.name }}
+          cargo release-oxc update --release ${RELEASE_NAME}
           echo "VERSION=$(cat ./target/OXC_VERSION)" >> $GITHUB_OUTPUT
           {
             echo 'CHANGELOG<<EOF'