GHA CI: add checking for GHA workflows

PR #22200. --------- Co-authored-by: userdocs <16525024+userdocs@users.noreply.github.com>
2026-01-10 17:35:00 -06:00 · 2025-01-26 03:44:59 +08:00
parent e2341f5217
commit 3ef4d0d798
8 changed files with 56 additions and 12 deletions
--- a/.github/workflows/ci_file_health.yaml
+++ b/.github/workflows/ci_file_health.yaml
@@ -12,11 +12,15 @@ jobs:
  ci:
    name: Check
    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
+        with:
+          persist-credentials: false

-      - name: Install tools
+      - name: Setup python
        uses: actions/setup-python@v5
        with:
          python-version: "*"
@@ -42,3 +46,26 @@ jobs:
          done
          # check diff, ignore "Automatically generated by ..." part
          git diff -I '\.\\".*' --exit-code
+
+      - name: Check GitHub Actions workflow
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip install zizmor
+          IGNORE_RULEID='(.ruleId != "template-injection")
+            and (.ruleId != "unpinned-uses")'
+          IGNORE_ID='(.id != "template-injection")
+            and (.id != "unpinned-uses")'
+          zizmor \
+            --format sarif \
+            --pedantic \
+            ./ \
+            | jq "(.runs[].results |= map(select($IGNORE_RULEID)))
+              | (.runs[].tool.driver.rules |= map(select($IGNORE_ID)))" \
+            > "${{ runner.temp }}/zizmor_results.sarif"
+
+      - name: Upload zizmor results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: zizmor
+          sarif_file: "${{ runner.temp }}/zizmor_results.sarif"