Chore better zizmor (#573)

willmurphyscode · web-flow · commit 6ac601cd5f6a · 2026-01-16T11:42:14.000-05:00
* ci: enable zizmor to fail github PRs

Set up linting for gh actions yaml and wire up this linter to be able to fail
PRs.

Signed-off-by: Will Murphy &lt;willmurphyscode@users.noreply.github.com&gt;

* chore: remove husky precommit line

Husky was warning that this line was deprecated and would start failing in a
future release.

Signed-off-by: Will Murphy &lt;willmurphyscode@users.noreply.github.com&gt;

* ci: force bash on windows to simplify env var handling

Signed-off-by: Will Murphy &lt;willmurphyscode@users.noreply.github.com&gt;

* quote grype_cmd env var

Signed-off-by: Will Murphy &lt;willmurphyscode@users.noreply.github.com&gt;

---------

Signed-off-by: Will Murphy &lt;willmurphyscode@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,10 +4,14 @@ updates:
     directory: /
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 10
 
   - package-ecosystem: npm
     directory: /
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
     open-pull-requests-limit: 10
diff --git a/.github/workflows/oss-project-board-add.yaml b/.github/workflows/oss-project-board-add.yaml
@@ -8,6 +8,8 @@ on:
       - transferred
       - labeled
 
+permissions: {}
+
 jobs:
 
   run:
diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   update_release_draft:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/tag-release.yml b/.github/workflows/tag-release.yml
@@ -4,6 +4,8 @@ on:
   release:
     types: [published, edited]
 
+permissions: {}
+
 jobs:
   actions-tagger:
     runs-on: ubuntu-latest
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -7,11 +7,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   build: # make sure build/ci work properly and there is no faked build ncc built scripts
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
         with:
           node-version-file: package.json
@@ -30,6 +34,8 @@ jobs:
           - 5000:5000
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - run: npm ci
       - run: npm run test
 
@@ -40,6 +46,7 @@ jobs:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           path: ./
+          persist-credentials: false
 
       - name: "Donwload Grype v0.54.0"
         id: grype
@@ -48,7 +55,10 @@ jobs:
           grype-version: v0.54.0
 
       - name: "Check Grype version before scan-action"
-        run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"
+        env:
+          GRYPE_CMD: ${{ steps.grype.outputs.cmd }}
+        run: |
+          "$GRYPE_CMD" version | egrep "^Version:.*0.54.0$"
 
       - name: "Scan test image"
         uses: ./
@@ -57,7 +67,10 @@ jobs:
           fail-build: false # to prevent fail due to vuln:s on test image
 
       - name: "Check Grype version after scan-action"
-        run: ${{ steps.grype.outputs.cmd }} version | egrep "^Version:.*0.54.0$"
+        env:
+          GRYPE_CMD: ${{ steps.grype.outputs.cmd }}
+        run: |
+          "$GRYPE_CMD" version | egrep "^Version:.*0.54.0$"
 
   test-all:
     strategy:
@@ -72,6 +85,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - uses: ./
         id: scan
         with:
@@ -83,4 +98,7 @@ jobs:
 
       - name: Validate file exists
         if: ${{ matrix.output-format != 'table' }}
-        run: test -f '${{ steps.scan.outputs[matrix.output-format] }}'
+        shell: bash
+        env:
+          OUTPUT_FILE: ${{ steps.scan.outputs[matrix.output-format] }}
+        run: test -f "$OUTPUT_FILE"
diff --git a/.github/workflows/update-grype-release.yml b/.github/workflows/update-grype-release.yml
@@ -7,12 +7,16 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   upgrade-grype:
     runs-on: ubuntu-latest
     if: github.repository == 'anchore/scan-action'
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
       - name: Get latest Grype version
         id: latest-version
         env:
diff --git a/.github/workflows/validate-github-actions.yaml b/.github/workflows/validate-github-actions.yaml
@@ -0,0 +1,35 @@
+name: "Validate GitHub Actions"
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: "Lint"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: "Run zizmor"
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          config: .github/zizmor.yml
+          # Disable SARIF upload so the step is a simple pass/fail gate
+          advanced-security: false
+          inputs: .github
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,6 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        # anchore/workflows is an internal repository; using @main is acceptable
+        anchore/*: any
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -1,5 +1,2 @@
-#!/bin/sh
-. "$(dirname "$0")/_/husky.sh"
-
 npx lint-staged
 npm run precommit
