From db0f17f1dd4231f9a7e833aed97a94d30cd715df Mon Sep 17 00:00:00 2001 From: Yuki Okushi Date: Wed, 29 Apr 2026 19:13:34 +0900 Subject: [PATCH] chore: use zizmor to harden GHA usage --- .github/dependabot.yml | 4 ++++ .github/workflows/bench.yml | 2 ++ .github/workflows/ci-post-merge.yml | 4 ++++ .github/workflows/ci.yml | 6 ++++++ .github/workflows/coverage.yml | 2 ++ .github/workflows/labeler.yml | 2 ++ .github/workflows/lint.yml | 30 ++++++++++++++++++++++++++++- .github/workflows/semver-checks.yml | 17 +++++++++++----- zizmor.yml | 8 ++++++++ 9 files changed, 69 insertions(+), 6 deletions(-) create mode 100644 zizmor.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 3aeae6b1b..55289db86 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,8 +4,12 @@ updates: directory: / schedule: interval: weekly + cooldown: + default-days: 3 - package-ecosystem: cargo directory: / schedule: interval: weekly + cooldown: + default-days: 3 versioning-strategy: lockfile-only diff --git a/.github/workflows/bench.yml b/.github/workflows/bench.yml index cabf1c267..2a1de96d4 100644 --- a/.github/workflows/bench.yml +++ b/.github/workflows/bench.yml @@ -17,6 +17,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust run: | diff --git a/.github/workflows/ci-post-merge.yml b/.github/workflows/ci-post-merge.yml index a55d2d5f8..3dd2f272f 100644 --- a/.github/workflows/ci-post-merge.yml +++ b/.github/workflows/ci-post-merge.yml @@ -29,6 +29,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install nasm if: matrix.target.os == 'windows-latest' @@ -72,6 +74,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Free Disk Space run: ./scripts/free-disk-space.sh diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2509681a5..ef60480d0 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -40,6 +40,8 @@ jobs: steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install nasm if: matrix.target.os == 'windows-latest' @@ -94,6 +96,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 @@ -110,6 +114,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust (nightly) uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 142539c24..9aaa85770 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -16,6 +16,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust (nightly) uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml index 91d234abe..4a3f66a95 100644 --- a/.github/workflows/labeler.yml +++ b/.github/workflows/labeler.yml @@ -13,4 +13,6 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index d860af114..6c2e79f9a 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -12,10 +12,30 @@ concurrency: cancel-in-progress: true jobs: + zizmor: + name: zizmor + permissions: + actions: read + contents: read + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true + version: v1.24.1 + fmt: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust (nightly) uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 @@ -34,6 +54,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 @@ -53,6 +75,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust (nightly) uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 @@ -70,6 +94,8 @@ jobs: runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false - name: Install Rust (${{ vars.RUST_VERSION_EXTERNAL_TYPES }}) uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 @@ -87,4 +113,6 @@ jobs: tool: cargo-check-external-types - name: check external types - run: just check-external-types-all +${{ vars.RUST_VERSION_EXTERNAL_TYPES }} + run: just check-external-types-all +"${RUST_VERSION_EXTERNAL_TYPES}" + env: + RUST_VERSION_EXTERNAL_TYPES: ${{ vars.RUST_VERSION_EXTERNAL_TYPES }} diff --git a/.github/workflows/semver-checks.yml b/.github/workflows/semver-checks.yml index 1c9742e04..c65fe8e3a 100644 --- a/.github/workflows/semver-checks.yml +++ b/.github/workflows/semver-checks.yml @@ -13,6 +13,7 @@ jobs: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: fetch-depth: 0 + persist-credentials: false - name: Install Rust uses: actions-rust-lang/setup-rust-toolchain@2b1f5e9b395427c92ee4e3331786ca3c37afe2d7 # v1.16.0 @@ -59,16 +60,22 @@ jobs: - name: Summarize cargo semver-checks output if: always() && steps.semver.outcome != 'skipped' shell: bash + env: + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + SEMVER_TYPE: ${{ steps.semver.outputs.semver_type }} + STATUS: ${{ steps.semver.outputs.exit_code }} + SUMMARY_FILE: ${{ steps.semver.outputs.output_file }} run: | - summary_file="${{ steps.semver.outputs.output_file }}" - status="${{ steps.semver.outputs.exit_code }}" + summary_file="$SUMMARY_FILE" + status="$STATUS" { echo "## cargo semver-checks" echo - echo "- Base SHA: \`${{ github.event.pull_request.base.sha }}\`" - echo "- Head SHA: \`${{ github.event.pull_request.head.sha }}\`" - echo "- Required release: \`${{ steps.semver.outputs.semver_type }}\`" + echo "- Base SHA: \`${BASE_SHA}\`" + echo "- Head SHA: \`${HEAD_SHA}\`" + echo "- Required release: \`${SEMVER_TYPE}\`" echo "- cargo semver-checks exit code: \`$status\`" echo diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 000000000..4f9044a27 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,8 @@ +rules: + dangerous-triggers: + ignore: + # Required for labeling PRs from forks; does not check out PR head. + - labeler.yml:3 + dependabot-cooldown: + config: + days: 3