[CI] Add zizmor workflow #20437
[CI] Add zizmor workflow #20437
Conversation
Zizmor is a static analysis tool for GitHub Actions. See https://github.com/zizmorcore/zizmor This is necessary to improve the security of the repository and releases. Analysis results can be found in the Security tab.
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
KornevNikita
temporarily deployed
to
WindowsCILock
GitHub Actions
Inactive
There was a problem hiding this comment.
Is my understanding correct that this change detects and scans yaml files assuming some folder structure of .github / devops folders?
If such, are the hardcoded paths something intentional and you want to keep track of the target folders structure changes in the future OR it is an initial temporal solution and eventually you want something more flexible?
Thanks,
-S
There was a problem hiding this comment.
Sorry, not sure what you mean by "some folder structure". Workflow files are always stored in the .github/workflows/ directory, and our composite actions are stored in devops/actions. I don't think this will ever change.
Also, this workflow downloads and scans only .github/workflows/sycl-* & .github/workflows/ur-* ymls and all ymls in the devops/actions directory, as I believe it's the only workflows we launch here in intel/llvm (@intel/dpcpp-devops-reviewers right?). It's intended to avoid alerts in workflows we don't even run.
Does this answer your question? If not, could you please clarify what you mean.
There was a problem hiding this comment.
Workflow files are always stored in the .github/workflows/ directory
How reliable this statement is? Should it be possible to commit and run a workflow file from a different folder?
Also, this workflow downloads and scans only .github/workflows/sycl-* & .github/workflows/ur-* ymls and all ymls in the devops/actions directory, as I believe it's the only workflows we launch here in intel/llvm (@intel/dpcpp-devops-reviewers right?). It's intended to avoid alerts in workflows we don't even run.
From security point of view having a list of explicitly disabled for scanning items is preferred vs. the list of 'enabled' items, so when unclassified item is added it goes through the scanning by default until it is disabled explicitly.
4 participants
Zizmor is a static analysis tool for GitHub Actions. See https://github.com/zizmorcore/zizmor
This is necessary to improve the security of the repository and releases. Analysis results can be found in the Security tab.