From 40975997e11428da2cb0c684338c38f7abfd3d05 Mon Sep 17 00:00:00 2001 From: Max Jones <14077947+maxrjones@users.noreply.github.com> Date: Mon, 6 Apr 2026 15:20:48 -0400 Subject: [PATCH 1/4] Setup zizmor --- .github/workflows/deploy.yml | 6 +++-- .github/workflows/update-reports.yml | 8 ++++--- .github/workflows/zizmor.yml | 35 ++++++++++++++++++++++++++++ 3 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index b644424..22552aa 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -14,10 +14,12 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout main - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: version: "0.9.*" enable-cache: true diff --git a/.github/workflows/update-reports.yml b/.github/workflows/update-reports.yml index 1c0eab4..4af0201 100644 --- a/.github/workflows/update-reports.yml +++ b/.github/workflows/update-reports.yml @@ -21,14 +21,16 @@ jobs: steps: - name: Checkout repository - uses: actions/checkout@v5 + uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 + with: + persist-credentials: false - name: Get current date id: date run: echo "date=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT - name: Install uv - uses: astral-sh/setup-uv@v7 + uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7 with: version: "0.9.*" enable-cache: true @@ -56,7 +58,7 @@ jobs: run: uv run generate_docs.py - name: Create Pull Request - uses: peter-evans/create-pull-request@v7.0.11 + uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676 # v7.0.11 with: commit-message: "Update reports for ${{ github.run_id }}" title: "Update reports (${{ steps.date.outputs.date }})" diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 0000000..19313ab --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,35 @@ +name: GitHub Actions Security Analysis + +on: + push: + branches: [main] + paths: + - '.github/workflows/**' + - '.github/actions/**' + pull_request: + branches: ["**"] + paths: + - '.github/workflows/**' + - '.github/actions/**' + workflow_dispatch: + +permissions: {} + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # Required by zizmor-action to upload SARIF files + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From 030970559a76a64d41d454d76ca44f08502d764c Mon Sep 17 00:00:00 2001 From: Max Jones <14077947+maxrjones@users.noreply.github.com> Date: Mon, 6 Apr 2026 15:51:03 -0400 Subject: [PATCH 2/4] Update workflows --- .github/workflows/deploy.yml | 5 +++++ .github/workflows/update-reports.yml | 3 +++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 22552aa..e0791f9 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -8,10 +8,14 @@ on: branches: - main +permissions: {} + jobs: build: name: Deploy docs runs-on: ubuntu-latest + permissions: + contents: write steps: - name: Checkout main uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 @@ -26,3 +30,4 @@ jobs: - name: Deploy docs run: uv run mkdocs gh-deploy --force --strict + env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/update-reports.yml b/.github/workflows/update-reports.yml index 4af0201..8570353 100644 --- a/.github/workflows/update-reports.yml +++ b/.github/workflows/update-reports.yml @@ -12,9 +12,12 @@ on: - 'reports/pyproject.toml' workflow_dispatch: +permissions: {} + jobs: update-reports: runs-on: ubuntu-latest + environment: gh-stats permissions: contents: write pull-requests: write From 87d9d6409fcf847d01961bb2325a89114504fa58 Mon Sep 17 00:00:00 2001 From: Max Jones <14077947+maxrjones@users.noreply.github.com> Date: Mon, 6 Apr 2026 15:52:44 -0400 Subject: [PATCH 3/4] Fixup --- .github/workflows/deploy.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e0791f9..c5e21dc 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -30,4 +30,5 @@ jobs: - name: Deploy docs run: uv run mkdocs gh-deploy --force --strict - env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} From 65b7f60d6bfd35b162de96b3e704154aac3bf78b Mon Sep 17 00:00:00 2001 From: Max Jones <14077947+maxrjones@users.noreply.github.com> Date: Mon, 6 Apr 2026 16:14:02 -0400 Subject: [PATCH 4/4] persist creds --- .github/workflows/deploy.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index c5e21dc..689fb9f 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,7 +20,7 @@ jobs: - name: Checkout main uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 with: - persist-credentials: false + persist-credentials: true - name: Install uv uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7