Skip to content
GitHub Actions Scan

chore(multiple samples) Update pytest dependencies to solve dependabot security alerts. #4

Sign in to view logs

chore(multiple samples) Update pytest dependencies to solve dependabot security alerts.

chore(multiple samples) Update pytest dependencies to solve dependabot security alerts. #4

Workflow file for this run

google-gh-automation/workflows/.github/workflows/github_actions_scan.yml at 5d49a7b32bbc85ad1057e562ae9c6d167c917320
name: 'GitHub Actions Scan'
on:
workflow_call:
inputs:
wif_provider:
type: 'string'
zizmor_result_bucket:
type: 'string'
pull_request_target:
permissions: {}
env:
ZIZMOR_VERSION: '1.24.1'
ZIZMOR_DOCKER_DIGEST: 'sha256:128ebbe369a95f9d4427737e794537256095b55f779a247aebc960dc4ea1f7b3'
ZIZMOR_ENFORCE: 'false'
ZIZMOR_RESULT_BUCKET: 'zizmor-7165'
WIF_PROVIDER: 'projects/102295818544/locations/global/workloadIdentityPools/gitsec-gha-artifacts/providers/gitsec-gha-artifacts-provider'
jobs:
check-changes:
runs-on: 'ubuntu-latest'
outputs:
changed: '${{ steps.check.outputs.changed }}'
permissions:
contents: 'read'
steps:
- name: 'Checkout source'
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
with:
ref: '${{ github.event.pull_request.head.sha }}'
fetch-depth: 0
persist-credentials: false
- name: 'Check for workflow changes'
id: 'check'
shell: 'bash'
env:
GIT_HEAD_SHA: '${{ github.event.pull_request.head.sha }}'
GIT_BASE_SHA: '${{ github.event.pull_request.base.sha }}'
run: |
changed="false"
if git diff --name-only "${GIT_BASE_SHA}" "${GIT_HEAD_SHA}" | grep -E '^\.github/workflows/.+\.ya?ml$' > /dev/null; then
changed="true"
fi
echo "changed=$changed" >> "$GITHUB_OUTPUT"
zizmor-scan:
needs: ['check-changes']
runs-on: 'ubuntu-latest'
if: >-
inputs.wif_provider != '' ||
(
needs.check-changes.outputs.changed == 'true' &&
github.event_name == 'pull_request_target' &&
!startsWith(github.workflow_ref, format('{0}/', github.repository))
)
permissions:
contents: 'read'
outputs:
has-high-severity: '${{ steps.check-findings-severity.outputs.has-high-severity }}'
zizmor-enforce: '${{ steps.check-findings-severity.outputs.zizmor-enforce }}'
steps:
- name: 'Checkout source'
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
with:
ref: '${{ github.event.pull_request.head.sha }}'
persist-credentials: false
- name: 'Run zizmor'
shell: 'bash'
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
run: >-
docker run
--rm
--volume "${GITHUB_WORKSPACE}:/workspace:ro"
--workdir "/workspace"
--env GH_TOKEN="${GH_TOKEN}"
"ghcr.io/zizmorcore/zizmor:${ZIZMOR_VERSION}@${ZIZMOR_DOCKER_DIGEST}"
--format sarif
--
.github/workflows
> zizmor.sarif.json
- name: 'Enrich SARIF with GitHub metadata'
shell: 'bash'
run: >-
jq
--arg uri "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}"
--arg sha "${GITHUB_SHA}"
--argjson repo_id "${GITHUB_REPOSITORY_ID}"
--argjson owner_id "${GITHUB_REPOSITORY_OWNER_ID}"
--arg run_id "${GITHUB_SERVER_URL}/${GITHUB_REPOSITORY}/actions/runs/${GITHUB_RUN_ID}/attempts/${GITHUB_RUN_ATTEMPT}"
'.runs[] |= . + {
"versionControlProvenance": [
{
"repositoryUri": $uri,
"revisionId": $sha,
"properties": {
"github_repository_id": $repo_id,
"github_owner_id": $owner_id
}
}
],
"invocations": [
{
"executionSuccessful": true,
"properties": {
"execution_id": $run_id
}
}
]
}' zizmor.sarif.json > enriched.sarif.json
- name: 'Save result'
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # ratchet:actions/upload-artifact@v7
with:
name: 'zizmor'
path: 'enriched.sarif.json'
if-no-files-found: 'error'
retention-days: 1
- name: 'Check for high severity findings'
id: 'check-findings-severity'
shell: 'bash'
run: |
result=$(jq 'any(.runs[].results[]?; .properties["zizmor/severity"] == "High")' zizmor.sarif.json)
echo "has-high-severity=$result" >> "$GITHUB_OUTPUT"
echo "zizmor-enforce=${ZIZMOR_ENFORCE}" >> "$GITHUB_OUTPUT"
zizmor-upload:
needs: ['zizmor-scan']
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
id-token: 'write'
steps:
- name: 'Retrieve result'
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # ratchet:actions/download-artifact@v8
with:
name: 'zizmor'
- name: 'Authenticate to GCP'
uses: 'google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed' # ratchet:google-github-actions/auth@v2
with:
workload_identity_provider: >-
${{ inputs.wif_provider != '' && inputs.wif_provider || env.WIF_PROVIDER }}
- name: 'Upload result'
shell: 'bash'
env:
GITHUB_PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number }}'
ZIZMOR_RESULT_BUCKET: >-
${{ inputs.zizmor_result_bucket != '' && inputs.zizmor_result_bucket || env.ZIZMOR_RESULT_BUCKET }}
run: >-
gcloud storage cp
enriched.sarif.json
"gs://${ZIZMOR_RESULT_BUCKET}/${GITHUB_REPOSITORY}/${GITHUB_PULL_REQUEST_NUMBER}_${GITHUB_RUN_ID}_${GITHUB_RUN_ATTEMPT}.sarif.json"
zizmor-output:
needs: ['zizmor-scan']
runs-on: 'ubuntu-latest'
permissions:
contents: 'read'
if: >-
needs.zizmor-scan.outputs.zizmor-enforce == 'true' &&
needs.zizmor-scan.outputs.has-high-severity == 'true'
steps:
- name: 'Checkout source'
uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
with:
ref: '${{ github.event.pull_request.head.sha }}'
persist-credentials: false
- name: 'Re-run zizmor with github format'
shell: 'bash'
env:
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
run: >-
docker run
--rm
--volume "${GITHUB_WORKSPACE}:/workspace:ro"
--workdir "/workspace"
--env GH_TOKEN="${GH_TOKEN}"
"ghcr.io/zizmorcore/zizmor:${ZIZMOR_VERSION}@${ZIZMOR_DOCKER_DIGEST}"
--format github
--
.github/workflows