mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-31 03:58:11 -04:00
6b2a955a15
Resolves all 30 zizmor alerts reported on main after #11607: - template-injection (19): move `${{ ... }}` interpolations in `run:` blocks to `env:` so untrusted-ish values (workflow_dispatch inputs, github.ref_name, github.actor) can't break out of shell quoting. - artipacked (8): add `persist-credentials: false` to `actions/checkout` in audit, benchmark, ci, codeql-analysis, docker, release, test workflows. `update-lockfile.yml` keeps the persisted token (later step pushes to a branch) with a `zizmor: ignore[artipacked]` comment and justification. - dependabot-cooldown (1): add a 7-day cooldown so brand-new (potentially malicious) Actions releases don't get auto-PR'd day-of-release. - ref-version-mismatch (1): `bluwy/release-for-reddit-action` SHA pointed at the `v2` tag, not a non-existent `v2.0.0`. Fix the comment. - superfluous-actions (1): mark `softprops/action-gh-release` with a `zizmor: ignore` and justification — the release pipeline is sensitive and the action is battle-tested; we're not swapping it for `gh release` here. Verified locally with `zizmor --persona regular .github` (online audits on): No findings to report. Good job! (2 ignored, 32 suppressed) --- Written by an agent (Claude Code, claude-opus-4-7).
24 lines
504 B
YAML
24 lines
504 B
YAML
name: Audit
|
|
|
|
on: [push, pull_request]
|
|
|
|
permissions:
|
|
contents: read # to fetch code (actions/checkout)
|
|
|
|
jobs:
|
|
audit:
|
|
name: Audit dependencies
|
|
runs-on: ubuntu-latest
|
|
|
|
steps:
|
|
- name: Checkout Commit
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
- name: Install pnpm
|
|
uses: pnpm/setup@b1cac37306e39c21283b9dd6cb0ac288fb35ba6b
|
|
with:
|
|
install: false
|
|
- name: Audit
|
|
run: pn audit
|