integrate zizmor - Githubissues

theupdateframework / tuf-on-ci

A TUF repository and signing tool

Other

22 stars 11 forks source link

integrate zizmor #474

Open jku opened 4 hours ago

jku commented 4 hours ago

zizmor is a GH actions audit tool, I'm hoping it works on actual actions yml as well (and not just workflow files): this would be very useful for the tuf-on-ci actions...

see https://github.com/sigstore/root-signing/pull/1397
some actions in this repo do use the git credentials so need to be careful WRT persist-credentials

jku commented 4 hours ago

I'm hoping it works on actual actions yml as well (and not just workflow files)

Unfortunately it does not at this moment... Running it on our own workflows is still useful as it does find some issues.