ansible-docs/.github/dependabot.yml at devel - ansible-docs - Gitea: Git with a cup of tea

centersl/ansible-docs

mirror of https://github.com/ansible/ansible-documentation.git synced 2026-03-27 13:28:51 +07:00

Files

Maxwell G 86f9d4351e Lint Github Actions workflows with zizmor (#3188 )

* ci: fix issues indentified by zizmor GHA linter

This fixes issues identified by the zizmor linter which checks for
Github Actions security best practicies.

Summary of changes:

- Remove possibilities for shell injection. These can all only be
  activated by workflow_dispatch input provided by people who already
  have access to the repository but still a good idea to tidy this up.
  Many of these occur in the build-package-docs actions. We should test
  everything to make sure nothing is broken by these changes.
- Explicitly set permissions. This is not strictly required, because we
  already enforce a limited set of default permissions in the repo's GHA
  settings, but zizmor wants us to be explicit.
- Use `persist-credentials: false` with the checkout action.

Also, when rebasing this commit, I added back the manual `nox -s
clone-core` step to keep the outputs separate.

* ci: run zizmor in CI and noxfile

- Adds lockfile
- Adds nox session
- Adds nox session to CI matrix

* ci: fix additional issues identified by zizmor

- Add default permissions to new workflows
- Add cooldown to dependabot

* ci: add zizmor configuration for unpinned-uses

We could configure dependabot to pin shared workflow commit SHA hashes,
but for now, let's relax the unpinned-uses relax

* ci: restore secrets: inheirt for pip-compile workflows

See comment for more details.

* ci: fix token auth for pip-compile workflow

* README: mention that lint session runs GHA checks

* Update noxfile.py

Co-authored-by: Don Naro <dnaro@redhat.com>

* nox zizmor: allow overriding persona

* nox: actually run zizmor as part of lint session

* ci: use GHA expression instead of shell test

Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>

* ci: use Python to avoid shell+json quoting issues

---------

Co-authored-by: Don Naro <dnaro@redhat.com>
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>

2025-12-03 17:02:43 +00:00

14 lines

350 B

YAML

Raw Permalink Blame History

 ---
 # Copyright (c) Ansible Project
 # GNU General Public License v3.0+ (see LICENSES/GPL-3.0-or-later.txt or https://www.gnu.org/licenses/gpl-3.0.txt)
 # SPDX-License-Identifier: GPL-3.0-or-later
 version: 2
 updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
     cooldown:
       default-days: 4