Merge pull request Homebrew#195961 from Homebrew/zizmor

carlocab · web-flow · commit ea5bf0d141ec · 2024-10-30T02:52:29.000Z
workflows/actionlint: run `zizmor`
diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml
@@ -26,7 +26,7 @@ env:
 jobs:
   workflow_syntax:
     if: github.repository_owner == 'Homebrew'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-latest
     container:
       image: ghcr.io/homebrew/ubuntu22.04:master
     steps:
@@ -57,3 +57,31 @@ jobs:
           echo "::add-matcher::$HOME/actionlint-matcher.json"
 
       - run: actionlint
+
+  zizmor:
+    if: github.repository_owner == 'Homebrew'
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/homebrew/ubuntu22.04:master
+    steps:
+      - name: Set up Homebrew
+        id: setup-homebrew
+        uses: Homebrew/actions/setup-homebrew@master
+        with:
+          core: true
+          cask: false
+          test-bot: false
+
+      - name: Install zizmor
+        run:  brew install zizmor
+
+      - name: Run zizmor
+        run: zizmor --format sarif "${HOMEBREW_TAP_REPOSITORY}" | tee results.sarif
+        env:
+          HOMEBREW_TAP_REPOSITORY: ${{ steps.setup-homebrew.outputs.repository-path }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
