From a31ea390ba3c7673b5abbde332eb5548886648ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Wed, 29 Oct 2025 08:27:55 +0100 Subject: [PATCH 1/3] SEC: enable security scan for github actions using zizmor --- .github/workflows/ci_workflows.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml index 5b2645c..c946634 100644 --- a/.github/workflows/ci_workflows.yml +++ b/.github/workflows/ci_workflows.yml @@ -8,7 +8,21 @@ on: - '*' pull_request: + jobs: + security-scan: + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 + with: + persist-credentials: false + + - name: Run zizmor 🌈 + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 + tests: name: ${{ matrix.name }} runs-on: ${{ matrix.os }} @@ -26,6 +40,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + persist-credentials: false - name: Install dependencies if: contains(matrix.os, 'macos') run: brew install autoconf automake libtool @@ -57,6 +72,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + persist-credentials: false - name: Install dependencies run: | if [ "$RUNNER_OS" = Linux ]; then @@ -81,6 +97,7 @@ jobs: - uses: actions/checkout@v2 with: fetch-depth: 0 + persist-credentials: false - name: install dependencies run: pip install --pre meson ninja - uses: ilammy/msvc-dev-cmd@v1 From 5816650b42f5e871cb5c1079ee794b7262521afc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Wed, 29 Oct 2025 08:28:37 +0100 Subject: [PATCH 2/3] MNT: upgrade all github actions and pin them to hashes --- .github/workflows/ci_workflows.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml index c946634..9148656 100644 --- a/.github/workflows/ci_workflows.yml +++ b/.github/workflows/ci_workflows.yml @@ -37,7 +37,7 @@ jobs: os: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false @@ -69,7 +69,7 @@ jobs: os: macos-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false @@ -94,13 +94,13 @@ jobs: runs-on: windows-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: fetch-depth: 0 persist-credentials: false - name: install dependencies run: pip install --pre meson ninja - - uses: ilammy/msvc-dev-cmd@v1 + - uses: ilammy/msvc-dev-cmd@0b201ec74fa43914dc39ae48a89fd1d8cb592756 # v1.13.0 - name: configure run: meson setup builddir --fatal-meson-warnings -Ddefault_library=static - name: build From bdcbca3946f25cdcd81c7911cdbd4f8e86d0aa09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Robert?= Date: Wed, 29 Oct 2025 08:29:25 +0100 Subject: [PATCH 3/3] SEC: disable all default permissions at workflow level --- .github/workflows/ci_workflows.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/ci_workflows.yml b/.github/workflows/ci_workflows.yml index 9148656..732cd6a 100644 --- a/.github/workflows/ci_workflows.yml +++ b/.github/workflows/ci_workflows.yml @@ -8,6 +8,7 @@ on: - '*' pull_request: +permissions: {} jobs: security-scan: