[CI] Add zizmor workflow #20437
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| name: Zizmor | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| # Although workflow files (.yml) should only be placed in the | ||
| # .github/workflows directory, composite actions may be placed anywhere. | ||
| # Here in intel/llvm composite actions are placed in the devops/actions | ||
| # directory. In llvm/llvm-project composite actions are placed right in the | ||
| # .github/workflows directory. Therefore limiting the scanning to only these | ||
| # directories. BUT we may consider scanning the entire repository to enhance | ||
| # security. | ||
| paths: | ||
| - '.github/workflows/**/*.yml' | ||
| - 'devops/actions/**/*.yml' | ||
|
|
||
| permissions: {} | ||
|
|
||
| jobs: | ||
| zizmor: | ||
| name: Run zizmor | ||
| runs-on: ubuntu-latest | ||
| permissions: | ||
| security-events: write | ||
| steps: | ||
| - name: Checkout repository | ||
| uses: actions/checkout@v5 | ||
| with: | ||
| sparse-checkout-cone-mode: false | ||
| sparse-checkout: | | ||
| .github/workflows/**/*.yml | ||
|
There was a problem hiding this comment. ** wildcard is resolved with recursive walk including visiting current folder '.', right? correct? |
||
| devops/actions/**/*.yml | ||
|
|
||
| - name: Run zizmor | ||
| uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0 | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is my understanding correct that this change detects and scans yaml files assuming some folder structure of .github / devops folders?
If such, are the hardcoded paths something intentional and you want to keep track of the target folders structure changes in the future OR it is an initial temporal solution and eventually you want something more flexible?
Thanks,
-S
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, not sure what you mean by "some folder structure". Workflow files are always stored in the
.github/workflows/directory, and our composite actions are stored indevops/actions. I don't think this will ever change.Also, this workflow downloads and scans only
.github/workflows/sycl-*&.github/workflows/ur-*ymls and all ymls in thedevops/actionsdirectory, as I believe it's the only workflows we launch here in intel/llvm (@intel/dpcpp-devops-reviewers right?). It's intended to avoid alerts in workflows we don't even run.Does this answer your question? If not, could you please clarify what you mean.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How reliable this statement is? Should it be possible to commit and run a workflow file from a different folder?
From security point of view having a list of explicitly disabled for scanning items is preferred vs. the list of 'enabled' items, so when unclassified item is added it goes through the scanning by default until it is disabled explicitly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's just how GitHub works - all workflows should be placed in the
.github/workflowsdirectory to be launched, so it's not possible to run a workflow file from a different folder.Nevertheless, composite actions may be placed anywhere. But I believe here in intel/llvm the devops team won't allow a developer to place a composite action anywhere but the
devops/actionsdirectory. And as I see in llvm/llvm-project composite actions are always stored right in the.github/workflowsdir, although I didn't find any strict policy about this.Anyways, I've updated the patch to not only scan
sycl-*andur-*workflow files in.github/workflows, but the whole directory. If this is still not good enough, we can switch to scanning the whole repo.Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for following up on that.
Might be good enough given your explanations wrt github limitations.
Although, shouldn't we drop sycl-* and ur-* masks in "on:" section either?
I'd recommend adding comments from your paragraph about devops/actions directory somewhere in this file. Something along the lines that we may consider scanning whole repo rather than devops/actions only if we want to harden security...
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oops, right, updated.
Added a comment.