Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/tag-push.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,10 @@
name: 'Release on Tag Push 🚀'

# yamllint disable-line rule:truthy
on:
push:
tags:
- '**'

Check notice on line 12 in .github/workflows/tag-push.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/concurrency-limits

insufficient job-level concurrency limits: workflow is missing concurrency setting

permissions: {}

Expand All @@ -32,7 +32,7 @@
egress-policy: audit

# yamllint disable-line rule:line-length
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

Expand Down Expand Up @@ -63,7 +63,7 @@
egress-policy: audit

# yamllint disable-line rule:line-length
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
persist-credentials: false

Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/testing.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,17 +58,17 @@
with:
egress-policy: audit

- name: "Checkout local Action"
# yamllint disable-line rule:line-length
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0

Check notice on line 63 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/artipacked

credential persistence through GitHub Actions artifacts: does not set persist-credentials: false

- name: "Checkout test repository: ${{ matrix.description }}"
# yamllint disable-line rule:line-length
uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0
with:
repository: ${{ matrix.repository }}
path: test-project
fetch-depth: 1

Check notice on line 71 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/artipacked

credential persistence through GitHub Actions artifacts: does not set persist-credentials: false

- name: "Debug: List test project files"
shell: bash
Expand Down Expand Up @@ -129,14 +129,14 @@
- name: "Validate SBOM generation results"
shell: bash
run: |
echo "🔍 Validating SBOM generation for ${{ matrix.description }}"

Check notice on line 132 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/template-injection

code injection via template expansion: may expand into attacker-controllable code

# Check if SBOM generation succeeded
if [[ "${{ steps.generate-sbom.outcome }}" != "success" ]]; then
desc="${{ matrix.description }}"

Check notice on line 136 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/template-injection

code injection via template expansion: may expand into attacker-controllable code
echo "❌ SBOM generation failed for $desc"
echo "This might be expected for some repos"
repo="${{ matrix.repository }}"

Check notice on line 139 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/template-injection

code injection via template expansion: may expand into attacker-controllable code
echo "::warning::SBOM generation failed for $repo"
exit 0
fi
Expand All @@ -145,12 +145,12 @@

# Validate dependency manager detection
detected="${{ steps.generate-sbom.outputs.dependency_manager }}"
expected="${{ matrix.expected_manager }}"

Check notice on line 148 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/template-injection

code injection via template expansion: may expand into attacker-controllable code

if [[ -n "$detected" && "$detected" != "$expected" ]]; then
echo "⚠️ Expected '$expected', got '$detected'"
# yamllint disable-next-line rule:line-length
repo="${{ matrix.repository }}"

Check notice on line 153 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/template-injection

code injection via template expansion: may expand into attacker-controllable code
echo "::warning::Manager mismatch: $repo '$expected'/'$detected'"
elif [[ -n "$detected" ]]; then
echo "✅ Dependency manager correctly detected: $detected"
Expand Down Expand Up @@ -189,10 +189,10 @@
fi

if [[ "$json_found" == true ]] || [[ "$xml_found" == true ]]; then
echo "✅ SBOM generation test passed for ${{ matrix.description }}"

Check notice on line 192 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/template-injection

code injection via template expansion: may expand into attacker-controllable code
else
echo "⚠️ No SBOM files found, but generation didn't fail"
repo="${{ matrix.repository }}"

Check notice on line 195 in .github/workflows/testing.yaml

View workflow job for this annotation

GitHub Actions / Audit Workflows

zizmor: zizmor/template-injection

code injection via template expansion: may expand into attacker-controllable code
echo "::warning::No SBOM files generated for $repo"
fi

Expand Down
Loading