From 8f9f433974fe1eb0efb6e4e3a6d3e2dc35960f5e Mon Sep 17 00:00:00 2001 From: "Kornev, Nikita" Date: Tue, 21 Oct 2025 17:53:00 +0200 Subject: [PATCH 1/4] [CI] Add zizmor workflow Zizmor is a static analysis tool for GitHub Actions. See https://github.com/zizmorcore/zizmor This is necessary to improve the security of the repository and releases. Analysis results can be found in the Security tab. --- .github/workflows/sycl-zizmor.yml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) create mode 100644 .github/workflows/sycl-zizmor.yml diff --git a/.github/workflows/sycl-zizmor.yml b/.github/workflows/sycl-zizmor.yml new file mode 100644 index 0000000000000..f6d2afca5ab2f --- /dev/null +++ b/.github/workflows/sycl-zizmor.yml @@ -0,0 +1,30 @@ +name: Zizmor + +on: + workflow_dispatch: + push: + paths: + - '.github/workflows/sycl-*.yml' + - '.github/workflows/ur-*.yml' + - 'devops/actions/*/action.yml' + +permissions: {} + +jobs: + zizmor: + name: Run zizmor + runs-on: ubuntu-latest + permissions: + security-events: write + steps: + - name: Checkout repository + uses: actions/checkout@v5 + with: + sparse-checkout-cone-mode: false + sparse-checkout: | + .github/workflows/sycl-* + .github/workflows/ur-* + devops/actions/ + + - name: Run zizmor + uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 From 1847201ca987de4d0a5ef89eed6b7591dce2116d Mon Sep 17 00:00:00 2001 From: "Kornev, Nikita" Date: Mon, 27 Oct 2025 17:47:54 +0100 Subject: [PATCH 2/4] make list less strict --- .github/workflows/sycl-zizmor.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/sycl-zizmor.yml b/.github/workflows/sycl-zizmor.yml index f6d2afca5ab2f..6f8c10c84db53 100644 --- a/.github/workflows/sycl-zizmor.yml +++ b/.github/workflows/sycl-zizmor.yml @@ -22,8 +22,7 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: | - .github/workflows/sycl-* - .github/workflows/ur-* + .github/workflows/ devops/actions/ - name: Run zizmor From d2a38ba031fa64f9079c815e84f65c6a1a2739df Mon Sep 17 00:00:00 2001 From: "Kornev, Nikita" Date: Mon, 27 Oct 2025 18:16:48 +0100 Subject: [PATCH 3/4] upd paths --- .github/workflows/sycl-zizmor.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/sycl-zizmor.yml b/.github/workflows/sycl-zizmor.yml index 6f8c10c84db53..10c2ac8d62683 100644 --- a/.github/workflows/sycl-zizmor.yml +++ b/.github/workflows/sycl-zizmor.yml @@ -4,9 +4,8 @@ on: workflow_dispatch: push: paths: - - '.github/workflows/sycl-*.yml' - - '.github/workflows/ur-*.yml' - - 'devops/actions/*/action.yml' + - '.github/workflows/** + - 'devops/actions/**' permissions: {} From f9a437b157a344d1eb4d78b8e03b0a5d33aba5dd Mon Sep 17 00:00:00 2001 From: "Kornev, Nikita" Date: Mon, 27 Oct 2025 18:31:07 +0100 Subject: [PATCH 4/4] add a comment and upd paths --- .github/workflows/sycl-zizmor.yml | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/.github/workflows/sycl-zizmor.yml b/.github/workflows/sycl-zizmor.yml index 10c2ac8d62683..cc32367f11438 100644 --- a/.github/workflows/sycl-zizmor.yml +++ b/.github/workflows/sycl-zizmor.yml @@ -3,9 +3,16 @@ name: Zizmor on: workflow_dispatch: push: + # Although workflow files (.yml) should only be placed in the + # .github/workflows directory, composite actions may be placed anywhere. + # Here in intel/llvm composite actions are placed in the devops/actions + # directory. In llvm/llvm-project composite actions are placed right in the + # .github/workflows directory. Therefore limiting the scanning to only these + # directories. BUT we may consider scanning the entire repository to enhance + # security. paths: - - '.github/workflows/** - - 'devops/actions/**' + - '.github/workflows/**/*.yml' + - 'devops/actions/**/*.yml' permissions: {} @@ -21,8 +28,8 @@ jobs: with: sparse-checkout-cone-mode: false sparse-checkout: | - .github/workflows/ - devops/actions/ + .github/workflows/**/*.yml + devops/actions/**/*.yml - name: Run zizmor uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0