yamanin/registry
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add zizmor workflow checks for GitHub Actions (#662)

Browse Source 
## Description

This PR adds a zizmor security scan to the CI pipeline to analyze new
and existing GitHub Actions workflows under .github/workflows/.

- Runs zizmor on PRs and fails the check when HIGH severity (or above)
issues are found, so they can block merges.
- Runs zizmor on main to produce security reporting (where applicable),
keeping visibility into findings over time.
- Intended to be added as a required status check so workflow-security
regressions can’t land unnoticed.

Reference: coder/registry#642 (comment) / zizmor-action
## Type of Change

- [ ] New module
- [ ] New template
- [ ] Bug fix
- [ ] Feature/enhancement
- [ ] Documentation
- [x] Other - CI / security tooling

## Testing & Validation
- Validation via PR check - opened a test PR with a deliberately risky
workflow and confirmed zizmor reports and blocks on HIGH findings

## Related Issues
coder/registry#642 (comment) / zizmor-action
This commit is contained in:
Lukasz 2026-01-21 11:52:26 +01:00 committed by GitHub
parent ec57cb5c0f
commit 01365fb61a
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 55 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
.github/workflows/zizmor.yaml vendored Normal file
View File

@ -0,0 +1,55 @@
name: GitHub Actions Security Analysis (zizmor)
on:
pull_request:
branches: ["**"]
paths:
- ".github/workflows/**"
push:
branches: ["main"]
paths:
- ".github/workflows/**"
workflow_dispatch:
permissions: {}
jobs:
zizmor_pr_blocking:
if: github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- name: Run zizmor (blocking, HIGH only)
uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
with:
advanced-security: false
annotations: true
min-severity: high
inputs: |
.github/workflows
zizmor_main_sarif:
if: github.event_name != 'pull_request'
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
with:
persist-credentials: false
- name: Run zizmor (SARIF)
uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
with:
inputs: |
.github/workflows