github: add GHA security scanner workflow (zizmor)#39
Conversation
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
|
@tomponline would you mind enabling https://github.com/canonical/setup-lxd/security/quality, please? |
There was a problem hiding this comment.
Pull request overview
Adds an automated GitHub Actions security scanning workflow (zizmor) and adjusts existing workflows/config to align with that security posture.
Changes:
- Add a new
zizmorGitHub Actions workflow to analyze workflow security. - Refactor composite action steps to pass inputs via step
envvariables (instead of direct expression interpolation). - Remove the “Require GHA pinning” step from the test workflow and add a Dependabot update cooldown.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
action.yml |
Routes inputs.* into step env variables used by bash scripts. |
.github/workflows/zizmor.yml |
Introduces zizmor-based workflow security analysis in CI. |
.github/workflows/test.yml |
Removes the workflow pinning enforcement step from tests. |
.github/dependabot.yml |
Adds a Dependabot cooldown setting for GitHub Actions updates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Signed-off-by: Simon Deziel <simon.deziel@canonical.com>
Done |
No description provided.