From ad11d0f2c868eb55d018c64ff9577102b0cfd79c Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Mon, 6 Apr 2026 16:43:02 -0700 Subject: [PATCH 1/2] chore(workflows): add actionlint and zizmor action linters [SECINT-75] Signed-off-by: Steve Beattie --- .github/workflows/actionlint.yaml | 52 +++++++++++++++++++++++++++++++ .github/workflows/zizmor.yaml | 44 ++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 .github/workflows/actionlint.yaml create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml new file mode 100644 index 00000000..34f31874 --- /dev/null +++ b/.github/workflows/actionlint.yaml @@ -0,0 +1,52 @@ +name: Action Lint +on: + pull_request: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + + push: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + +permissions: {} + +jobs: + action-lint: + permissions: + contents: read # Clone the repository + name: Action lint + runs-on: ubuntu-latest + steps: + - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: block + allowed-endpoints: > + *.githubapp.com:443 + api.github.com:443 + github.com:443 + go.dev:443 + hooks.slack.com:443 + release-assets.githubusercontent.com:443 + + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Find yamls + id: get_yamls + run: | + set -ex + mapfile -t yamls < <(find .github/workflows -name "*.y*ml" | grep -v dependabot.) + echo "files=${yamls[*]}" >> "${GITHUB_OUTPUT}" + + - name: Action lint + uses: step-security/action-actionlint@d364e70a116a460ed220d67b1ca2f2579c48a40a # v1.69.1 + env: + SHELLCHECK_OPTS: "--exclude=SC2129" + with: + actionlint_flags: ${{ steps.get_yamls.outputs.files }} diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 00000000..31a349a1 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,44 @@ +# Copyright 2026 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + +name: Zizmor + +on: + pull_request: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + push: + branches: ['main'] + paths: + - '.github/workflows/**' + - '.github/actions/**' + +permissions: {} + +jobs: + zizmor: + name: Zizmor + runs-on: ubuntu-latest + permissions: + actions: read # Required by codeql-action/upload-sarif to get workflow run info + contents: read # Clone the repository + security-events: write # Upload SARIF results to Code Scanning + steps: + - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 + with: + egress-policy: block + allowed-endpoints: > + api.github.com:443 + github.com:443 + pkg-containers.githubusercontent.com:443 + ghcr.io + + - name: Check out code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Run zizmor + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2 From c57f997f3e0c6f7130a00deadfe267300dd5df46 Mon Sep 17 00:00:00 2001 From: Steve Beattie Date: Mon, 6 Apr 2026 17:24:18 -0700 Subject: [PATCH 2/2] fix(actionlint): add copyright boilerplate Signed-off-by: Steve Beattie --- .github/workflows/actionlint.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/actionlint.yaml b/.github/workflows/actionlint.yaml index 34f31874..c6e8c856 100644 --- a/.github/workflows/actionlint.yaml +++ b/.github/workflows/actionlint.yaml @@ -1,3 +1,6 @@ +# Copyright 2026 Chainguard, Inc. +# SPDX-License-Identifier: Apache-2.0 + name: Action Lint on: pull_request: