oss/syft
2
0
Fork 0
mirror of https://github.com/anchore/syft.git synced 2025-11-17 08:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity

chore: lint gh actions with zizmor (#4062)

Browse Source 
Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>
This commit is contained in:
Will Murphy 2025-07-16 17:12:38 -04:00 committed by GitHub
parent 37c182d5be
commit 9cda2de2ad
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
13 changed files with 126 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
.github/actions/bootstrap/action.yaml vendored
View File

@ -55,8 +55,11 @@ runs:
- name: Install apt packages - name: Install apt packages
if: inputs.bootstrap-apt-packages != '' if: inputs.bootstrap-apt-packages != ''
shell: bash shell: bash
env:
APT_PACKAGES: ${{ inputs.bootstrap-apt-packages }}
run: | run: |
DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }} IFS=' ' read -ra packages <<< "$APT_PACKAGES"
DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y "${packages[@]}"
- name: Restore ORAS cache from github actions - name: Restore ORAS cache from github actions
if: inputs.download-test-fixture-cache == 'true' if: inputs.download-test-fixture-cache == 'true'

2
.github/workflows/codeql-analysis.yml vendored
View File

@ -37,6 +37,8 @@ jobs:
steps: steps:
- name: Checkout repository - name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Install Go - name: Install Go
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 #v5.5.0 uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 #v5.5.0

6
.github/workflows/detect-schema-changes.yaml vendored
View File

@ -28,9 +28,15 @@ jobs:
label: label:
name: "Label changes" name: "Label changes"
runs-on: ubuntu-22.04 runs-on: ubuntu-22.04
permissions:
contents: read
pull-requests: write
issues: write
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- run: python .github/scripts/labeler.py - run: python .github/scripts/labeler.py
env: env:

9
.github/workflows/release-version-file.yaml vendored
View File

@ -14,13 +14,22 @@ on:
type: string type: string
description: release version to update the version file with (prefixed with v) description: release version to update the version file with (prefixed with v)
required: true required: true
secrets:
TOOLBOX_AWS_ACCESS_KEY_ID:
required: true
TOOLBOX_AWS_SECRET_ACCESS_KEY:
required: true
jobs: jobs:
release: release:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
permissions:
contents: read
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Update version file - name: Update version file
run: make ci-release-version-file run: make ci-release-version-file

35
.github/workflows/release.yaml vendored
View File

@ -16,6 +16,8 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Check if running on main - name: Check if running on main
if: github.ref != 'refs/heads/main' if: github.ref != 'refs/heads/main'
@ -28,8 +30,10 @@ jobs:
- name: Check if tag already exists - name: Check if tag already exists
# note: this will fail if the tag already exists # note: this will fail if the tag already exists
run: | run: |
[[ "${{ github.event.inputs.version }}" == v* ]] || (echo "version '${{ github.event.inputs.version }}' does not have a 'v' prefix" && exit 1) [[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1)
git tag ${{ github.event.inputs.version }} git tag "$VERSION"
env:
VERSION: ${{ github.event.inputs.version }}
- name: Check static analysis results - name: Check static analysis results
uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0 uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
@ -87,13 +91,20 @@ jobs:
- name: Quality gate - name: Quality gate
if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success' if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
env:
STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }}
UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }}
INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }}
ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }}
ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }}
CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }}
run: | run: |
echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}" echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS"
echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}" echo "Unit Test Status: $UNIT_TEST_STATUS"
echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}" echo "Integration Test Status: $INTEGRATION_TEST_STATUS"
echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}" echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS"
echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}" echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS"
echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}" echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS"
false false
release: release:
@ -108,6 +119,7 @@ jobs:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with: with:
fetch-depth: 0 fetch-depth: 0
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -129,10 +141,11 @@ jobs:
run: | run: |
git config --global user.name "anchoreci" git config --global user.name "anchoreci"
git config --global user.email "anchoreci@users.noreply.github.com" git config --global user.email "anchoreci@users.noreply.github.com"
git tag -a ${{ github.event.inputs.version }} -m "Release ${{ github.event.inputs.version }}" git tag -a "$VERSION" -m "Release $VERSION"
git push origin --tags git push origin --tags
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
VERSION: ${{ github.event.inputs.version }}
- name: Build & publish release artifacts - name: Build & publish release artifacts
run: make ci-release run: make ci-release
@ -169,4 +182,6 @@ jobs:
uses: ./.github/workflows/release-version-file.yaml uses: ./.github/workflows/release-version-file.yaml
with: with:
version: ${{ github.event.inputs.version }} version: ${{ github.event.inputs.version }}
secrets: inherit secrets:
TOOLBOX_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
TOOLBOX_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}

4
.github/workflows/remove-awaiting-response-label.yaml vendored
View File

@ -6,6 +6,10 @@ on:
jobs: jobs:
run: run:
permissions:
contents: read
issues: write
pull-requests: write
uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main" uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main"
secrets: secrets:
token: ${{ secrets.OSS_PROJECT_GH_TOKEN }} token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}

6
.github/workflows/test-fixture-cache-publish.yaml vendored
View File

@ -20,6 +20,8 @@ jobs:
packages: write packages: write
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -34,7 +36,9 @@ jobs:
DOWNLOAD_TEST_FIXTURE_CACHE: "false" DOWNLOAD_TEST_FIXTURE_CACHE: "false"
- name: Login to GitHub Container Registry (ORAS) - name: Login to GitHub Container Registry (ORAS)
run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u ${{ github.actor }} --password-stdin run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
env:
ACTOR: ${{ github.actor }}
- name: Publish test fixture cache - name: Publish test fixture cache
run: make upload-test-fixture-cache run: make upload-test-fixture-cache

2
.github/workflows/update-anchore-dependencies.yml vendored
View File

@ -16,6 +16,8 @@ jobs:
if: github.repository_owner == 'anchore' # only run for main repo (not forks) if: github.repository_owner == 'anchore' # only run for main repo (not forks)
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap

2
.github/workflows/update-bootstrap-tools.yml vendored
View File

@ -14,6 +14,8 @@ jobs:
if: github.repository == 'anchore/syft' # only run for main repo if: github.repository == 'anchore/syft' # only run for main repo
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap

2
.github/workflows/update-cpe-dictionary-index.yml vendored
View File

@ -17,6 +17,8 @@ jobs:
if: github.repository == 'anchore/syft' # only run for main repo if: github.repository == 'anchore/syft' # only run for main repo
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap

35
.github/workflows/validate-github-actions.yaml vendored Normal file
View File

@ -0,0 +1,35 @@
name: "Validate GitHub Actions"
on:
pull_request:
paths:
- '.github/workflows/**'
- '.github/actions/**'
push:
branches:
- main
paths:
- '.github/workflows/**'
- '.github/actions/**'
permissions:
contents: read
jobs:
zizmor:
name: "Lint"
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write # for uploading SARIF results
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: "Run zizmor"
uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
with:
config-file: .github/zizmor.yml
sarif-upload: true
inputs: .github

20
.github/workflows/validations.yaml vendored
View File

@ -18,6 +18,8 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -33,6 +35,8 @@ jobs:
runs-on: ubuntu-22.04-4core-16gb runs-on: ubuntu-22.04-4core-16gb
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -49,6 +53,8 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -67,6 +73,8 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -100,6 +108,8 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -155,6 +165,8 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -198,9 +210,11 @@ jobs:
runs-on: macos-latest runs-on: macos-latest
steps: steps:
- name: Install Cosign - name: Install Cosign
uses: sigstore/cosign-installer@v3.9.1 uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -238,6 +252,8 @@ jobs:
runs-on: ubuntu-24.04 runs-on: ubuntu-24.04
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Bootstrap environment - name: Bootstrap environment
uses: ./.github/actions/bootstrap uses: ./.github/actions/bootstrap
@ -276,6 +292,8 @@ jobs:
- Upload-Snapshot-Artifacts - Upload-Snapshot-Artifacts
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
with:
persist-credentials: false
- name: Delete snapshot cache - name: Delete snapshot cache
run: gh cache delete "snapshot-build-${{ github.run_id }}" run: gh cache delete "snapshot-build-${{ github.run_id }}"

11
.github/zizmor.yml vendored Normal file
View File

@ -0,0 +1,11 @@
rules:
unpinned-uses:
ignore:
# Allow unpinned uses of trusted internal anchore/workflows actions
- update-anchore-dependencies.yml
dangerous-triggers:
ignore:
# Safe use of pull_request_target - only runs trusted scripts from base repo,
# never checks out PR code, needs secrets for labeling PRs from forks
- detect-schema-changes.yaml