centersl/ansible-docs
1
0
Fork 0
mirror of https://github.com/ansible/ansible-documentation.git synced 2026-03-26 13:18:58 +07:00
Code Issues Packages Projects Releases Wiki Activity

Lint Github Actions workflows with zizmor (#3188)

Browse Source 
* ci: fix issues indentified by zizmor GHA linter

This fixes issues identified by the zizmor linter which checks for
Github Actions security best practicies.

Summary of changes:

- Remove possibilities for shell injection. These can all only be
  activated by workflow_dispatch input provided by people who already
  have access to the repository but still a good idea to tidy this up.
  Many of these occur in the build-package-docs actions. We should test
  everything to make sure nothing is broken by these changes.
- Explicitly set permissions. This is not strictly required, because we
  already enforce a limited set of default permissions in the repo's GHA
  settings, but zizmor wants us to be explicit.
- Use `persist-credentials: false` with the checkout action.

Also, when rebasing this commit, I added back the manual `nox -s
clone-core` step to keep the outputs separate.

* ci: run zizmor in CI and noxfile

- Adds lockfile
- Adds nox session
- Adds nox session to CI matrix

* ci: fix additional issues identified by zizmor

- Add default permissions to new workflows
- Add cooldown to dependabot

* ci: add zizmor configuration for unpinned-uses

We could configure dependabot to pin shared workflow commit SHA hashes,
but for now, let's relax the unpinned-uses relax

* ci: restore secrets: inheirt for pip-compile workflows

See comment for more details.

* ci: fix token auth for pip-compile workflow

* README: mention that lint session runs GHA checks

* Update noxfile.py

Co-authored-by: Don Naro <dnaro@redhat.com>

* nox zizmor: allow overriding persona

* nox: actually run zizmor as part of lint session

* ci: use GHA expression instead of shell test

Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>

* ci: use Python to avoid shell+json quoting issues

---------

Co-authored-by: Don Naro <dnaro@redhat.com>
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>
This commit is contained in:
Maxwell G
2025-12-03 11:02:43 -06:00
committed by GitHub
parent cda50f3908
commit 86f9d4351e
19 changed files with 138 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@@ -73,7 +73,7 @@ The `nox` configuration also contains session to run automated docs checkers.
If you want to view the generated HTML in your browser, you should build the documentation locally.
See [Building the documentation locally](https://docs.ansible.com/ansible/latest/community/documentation_contributions.html#building-the-documentation-locally) for more information.
* Lint, type check, and format Python scripts in this repository.
* Lint, type check, and format Python scripts in this repository and lint the Github Actions workflows for syntax and security issues:
``` bash
nox -s lint