From 5a9d84a2f1c7c877e5e514a35c9d88cc554c0d68 Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Mon, 22 Jun 2026 14:57:44 -0400 Subject: [PATCH 1/3] Harden workflows with least-privilege permissions and zizmor Apply GitHub Actions security best practices to the action's own workflows and integrate zizmor to catch regressions. - Add explicit least-privilege `permissions:` to every workflow (contents: read for read-only workflows; default-deny `{}` with job-scoped grants for codeql, publish-immutable-actions and update-config-files). - Set `persist-credentials: false` on all checkout steps that don't need the GITHUB_TOKEN afterwards. - Move `${{ ... }}` expansions out of `run:` blocks into `env:` vars to avoid template injection. - Pin the alpine container image (alpine:latest -> alpine:3.21). - Add a zizmor CI workflow that uploads SARIF to code scanning, plus a `.github/zizmor.yml` pinning policy (ref-pin for actions/* and github/*, hash-pin for third-party actions). zizmor now reports no findings (offline and online). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/basic-validation.yml | 3 + .github/workflows/check-dist.yml | 3 + .github/workflows/codeql-analysis.yml | 2 + .../workflows/e2e-cache-dependency-path.yml | 9 ++ .github/workflows/e2e-cache.yml | 15 +++ .github/workflows/e2e-local-file.yml | 21 +++- .github/workflows/e2e-publishing.yml | 11 +++ .github/workflows/e2e-versions.yml | 99 ++++++++++++++++--- .github/workflows/licensed.yml | 3 + .../workflows/publish-immutable-actions.yml | 4 + .github/workflows/update-config-files.yml | 5 + .github/workflows/zizmor.yml | 48 +++++++++ .github/zizmor.yml | 11 +++ 13 files changed, 215 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/basic-validation.yml b/.github/workflows/basic-validation.yml index e93e58009..ea70e0577 100644 --- a/.github/workflows/basic-validation.yml +++ b/.github/workflows/basic-validation.yml @@ -11,6 +11,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + jobs: call-basic-validation: name: Basic validation diff --git a/.github/workflows/check-dist.yml b/.github/workflows/check-dist.yml index 90ef986ad..5592249e7 100644 --- a/.github/workflows/check-dist.yml +++ b/.github/workflows/check-dist.yml @@ -11,6 +11,9 @@ on: - '**.md' workflow_dispatch: +permissions: + contents: read + jobs: call-check-dist: name: Check dist/ diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 1816c150c..598f7de5d 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -8,6 +8,8 @@ on: schedule: - cron: '0 3 * * 0' +permissions: {} + jobs: call-codeQL-analysis: permissions: diff --git a/.github/workflows/e2e-cache-dependency-path.yml b/.github/workflows/e2e-cache-dependency-path.yml index 8b40e99f0..cd1c7bc79 100644 --- a/.github/workflows/e2e-cache-dependency-path.yml +++ b/.github/workflows/e2e-cache-dependency-path.yml @@ -11,6 +11,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + defaults: run: shell: bash @@ -25,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for gradle uses: ./ id: setup-java @@ -52,6 +57,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for gradle uses: ./ id: setup-java @@ -77,6 +84,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for gradle uses: ./ id: setup-java diff --git a/.github/workflows/e2e-cache.yml b/.github/workflows/e2e-cache.yml index 6df10b578..58f8beffa 100644 --- a/.github/workflows/e2e-cache.yml +++ b/.github/workflows/e2e-cache.yml @@ -11,6 +11,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + defaults: run: shell: bash @@ -25,6 +28,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for gradle uses: ./ id: setup-java @@ -51,6 +56,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for gradle uses: ./ id: setup-java @@ -74,6 +81,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for maven uses: ./ id: setup-java @@ -98,6 +107,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for maven uses: ./ id: setup-java @@ -125,6 +136,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for sbt uses: ./ id: setup-java @@ -175,6 +188,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Run setup-java with the cache for sbt uses: ./ id: setup-java diff --git a/.github/workflows/e2e-local-file.yml b/.github/workflows/e2e-local-file.yml index 92fdf7597..47b9da553 100644 --- a/.github/workflows/e2e-local-file.yml +++ b/.github/workflows/e2e-local-file.yml @@ -11,6 +11,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + jobs: setup-java-local-file-adopt: name: Validate installation from local file Adopt @@ -22,6 +25,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Download Adopt OpenJDK file run: | if ($IsLinux) { @@ -46,7 +51,9 @@ jobs: java-version: '11.0.0-ea' architecture: x64 - name: Verify Java version - run: bash __tests__/verify-java.sh "11.0.10" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "11.0.10" "$JAVA_PATH" shell: bash setup-java-local-file-zulu: @@ -59,6 +66,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Download Zulu OpenJDK file run: | if ($IsLinux) { @@ -83,7 +92,9 @@ jobs: java-version: '11.0.0-ea' architecture: x64 - name: Verify Java version - run: bash __tests__/verify-java.sh "11.0" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "11.0" "$JAVA_PATH" shell: bash setup-java-local-file-temurin: @@ -96,6 +107,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Download Eclipse Temurin file run: | if ($IsLinux) { @@ -120,5 +133,7 @@ jobs: java-version: '11.0.0-ea' architecture: x64 - name: Verify Java version - run: bash __tests__/verify-java.sh "11.0.12" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "11.0.12" "$JAVA_PATH" shell: bash diff --git a/.github/workflows/e2e-publishing.yml b/.github/workflows/e2e-publishing.yml index 0c0aaafa9..62c8f7299 100644 --- a/.github/workflows/e2e-publishing.yml +++ b/.github/workflows/e2e-publishing.yml @@ -11,6 +11,9 @@ on: paths-ignore: - '**.md' +permissions: + contents: read + defaults: run: shell: pwsh @@ -26,6 +29,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -61,6 +66,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Create fake settings.xml run: | $xmlDirectory = Join-Path $HOME ".m2" @@ -97,6 +104,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Create fake settings.xml run: | $xmlDirectory = Join-Path $HOME ".m2" @@ -134,6 +143,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java diff --git a/.github/workflows/e2e-versions.yml b/.github/workflows/e2e-versions.yml index 7dc8d8a71..2712367ac 100644 --- a/.github/workflows/e2e-versions.yml +++ b/.github/workflows/e2e-versions.yml @@ -13,6 +13,10 @@ on: schedule: - cron: '0 */12 * * *' workflow_dispatch: + +permissions: + contents: read + jobs: setup-java-major-versions: name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - ${{ matrix.os }} @@ -74,6 +78,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -83,14 +89,17 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-alpine-linux: name: ${{ matrix.distribution }} ${{ matrix.version }} (jdk-x64) - alpine-linux - ${{ matrix.os }} runs-on: ${{ matrix.os }} container: - image: alpine:latest + image: alpine:3.21 strategy: fail-fast: false matrix: @@ -100,6 +109,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Install bash run: apk add --no-cache bash - name: setup-java @@ -109,7 +120,10 @@ jobs: java-version: ${{ matrix.version }} distribution: ${{ matrix.distribution }} - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-major-minor-versions: @@ -150,6 +164,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -157,10 +173,12 @@ jobs: java-version: ${{ matrix.version }} distribution: ${{ matrix.distribution }} - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" - shell: bash env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" + shell: bash setup-java-check-latest: name: ${{ matrix.distribution }} ${{ matrix.version }} - check-latest flag - ${{ matrix.os }} @@ -185,6 +203,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -195,7 +215,9 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Verify Java - run: bash __tests__/verify-java.sh "11" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "11" "$JAVA_PATH" shell: bash setup-java-multiple-jdks: @@ -221,6 +243,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -245,7 +269,9 @@ jobs: } shell: pwsh - name: Verify Java - run: bash __tests__/verify-java.sh "17" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "17" "$JAVA_PATH" shell: bash setup-java-ea-versions-zulu: @@ -260,6 +286,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -267,7 +295,10 @@ jobs: java-version: ${{ matrix.version }} distribution: zulu - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-ea-versions-temurin: @@ -282,6 +313,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -289,7 +322,10 @@ jobs: java-version: ${{ matrix.version }} distribution: temurin - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-ea-versions-sapmachine: @@ -304,6 +340,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -311,7 +349,10 @@ jobs: java-version: ${{ matrix.version }} distribution: sapmachine - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-custom-package-type: @@ -391,6 +432,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -401,7 +444,10 @@ jobs: env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash # Only Liberica and Zulu provide x86 @@ -419,6 +465,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: setup-java uses: ./ id: setup-java @@ -427,7 +475,10 @@ jobs: java-version: ${{ matrix.version }} architecture: 'x86' - name: Verify Java - run: bash __tests__/verify-java.sh "${{ matrix.version }}" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_VERSION: ${{ matrix.version }} + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "$JAVA_VERSION" "$JAVA_PATH" shell: bash setup-java-version-both-version-inputs-presents: @@ -442,6 +493,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Create .java-version file shell: bash run: echo "17" > .java-version @@ -456,7 +509,9 @@ jobs: java-version: 11 java-version-file: ${{matrix.java-version-file }} - name: Verify Java - run: bash __tests__/verify-java.sh "11" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "11" "$JAVA_PATH" shell: bash setup-java-version-from-file-major-notation: @@ -471,6 +526,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Create .java-version file shell: bash run: echo "11" > .java-version @@ -484,7 +541,9 @@ jobs: distribution: ${{ matrix.distribution }} java-version-file: ${{matrix.java-version-file }} - name: Verify Java - run: bash __tests__/verify-java.sh "11" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "11" "$JAVA_PATH" shell: bash setup-java-version-from-file-major-minor-patch-notation: @@ -499,6 +558,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Create .java-version file shell: bash run: echo "17.0.10" > .java-version @@ -512,7 +573,9 @@ jobs: distribution: ${{ matrix.distribution }} java-version-file: ${{matrix.java-version-file }} - name: Verify Java - run: bash __tests__/verify-java.sh "17.0.10" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "17.0.10" "$JAVA_PATH" shell: bash setup-java-version-from-file-major-minor-patch-with-dist: @@ -527,6 +590,8 @@ jobs: steps: - name: Checkout uses: actions/checkout@v6 + with: + persist-credentials: false - name: Create .java-version file shell: bash run: echo "openjdk64-17.0.10" > .java-version @@ -543,5 +608,7 @@ jobs: distribution: ${{ matrix.distribution }} java-version-file: ${{matrix.java-version-file }} - name: Verify Java - run: bash __tests__/verify-java.sh "17.0.10" "${{ steps.setup-java.outputs.path }}" + env: + JAVA_PATH: ${{ steps.setup-java.outputs.path }} + run: bash __tests__/verify-java.sh "17.0.10" "$JAVA_PATH" shell: bash diff --git a/.github/workflows/licensed.yml b/.github/workflows/licensed.yml index 37f1560c3..b5d009cb5 100644 --- a/.github/workflows/licensed.yml +++ b/.github/workflows/licensed.yml @@ -9,6 +9,9 @@ on: - main workflow_dispatch: +permissions: + contents: read + jobs: call-licensed: name: Licensed diff --git a/.github/workflows/publish-immutable-actions.yml b/.github/workflows/publish-immutable-actions.yml index bfe592049..1e26d2d85 100644 --- a/.github/workflows/publish-immutable-actions.yml +++ b/.github/workflows/publish-immutable-actions.yml @@ -5,6 +5,8 @@ on: types: [released] workflow_dispatch: +permissions: {} + jobs: publish: runs-on: ubuntu-latest @@ -16,6 +18,8 @@ jobs: steps: - name: Checking out uses: actions/checkout@v6 + with: + persist-credentials: false - name: Publish id: publish uses: actions/publish-immutable-action@v0.0.4 diff --git a/.github/workflows/update-config-files.yml b/.github/workflows/update-config-files.yml index 87af50042..bacdc74ec 100644 --- a/.github/workflows/update-config-files.yml +++ b/.github/workflows/update-config-files.yml @@ -5,7 +5,12 @@ on: - cron: '0 3 * * 0' workflow_dispatch: +permissions: {} + jobs: call-update-configuration-files: name: Update configuration files + permissions: + contents: write # to push the branch with updated configuration files + pull-requests: write # to open/update the configuration update PR uses: actions/reusable-workflows/.github/workflows/update-config-files.yml@main diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..d279603d8 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,48 @@ +name: Security analysis with zizmor + +on: + push: + branches: + - main + - releases/* + paths-ignore: + - '**.md' + pull_request: + paths-ignore: + - '**.md' + workflow_dispatch: + +permissions: {} + +jobs: + zizmor: + name: Analyze workflows with zizmor + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write # to upload SARIF results to code scanning + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + persist-credentials: false + + - name: Set up Python + uses: actions/setup-python@v5 + with: + python-version: '3.x' + + - name: Install zizmor + run: pip install zizmor + + - name: Run zizmor + run: zizmor --format sarif .github/workflows/ > zizmor.sarif + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + - name: Upload SARIF results to code scanning + if: always() + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: zizmor.sarif + category: zizmor diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..38309ec47 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,11 @@ +# Configuration for zizmor (https://docs.zizmor.sh) +rules: + unpinned-uses: + config: + # First-party GitHub-maintained actions are trusted and referenced by + # major-version tags (the convention used across the actions org). + # Any third-party action must be pinned to a full commit SHA. + policies: + actions/*: ref-pin + github/*: ref-pin + '*': hash-pin From 4d6dd91e72fa6f8e95fa46e6ebab479657a079bc Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Mon, 22 Jun 2026 15:03:32 -0400 Subject: [PATCH 2/3] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index d279603d8..4cca56451 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -41,7 +41,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF results to code scanning - if: always() +if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) uses: github/codeql-action/upload-sarif@v3 with: sarif_file: zizmor.sarif From 5f665f19f4d3a9d86a51257c8eb6a5cc32d878b9 Mon Sep 17 00:00:00 2001 From: Bruno Borges Date: Mon, 22 Jun 2026 15:16:53 -0400 Subject: [PATCH 3/3] Fix indentation of if: in zizmor SARIF upload step The `if:` key on the "Upload SARIF results to code scanning" step had no indentation, producing invalid YAML ("Nested mappings are not allowed in compact mappings"). This broke `npm run format-check` (prettier) in Basic validation. Indent `if:` to 8 spaces so it nests under the step alongside uses/with. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 4cca56451..11a0f96a6 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -41,7 +41,7 @@ jobs: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - name: Upload SARIF results to code scanning -if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) + if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) uses: github/codeql-action/upload-sarif@v3 with: sarif_file: zizmor.sarif