WordPress.org
Get WordPress

Make WordPress Core

Changeset 62250


Ignore:
Timestamp:
04/21/2026 04:48:42 PM (3 weeks ago)
Author:
johnbillion
Message:

Build/Test Tools: Add more workflow file linting with Zizmor.

This change introduces Zizmor, which is a tool for linting GitHub Actions workflow files for security weaknesses. This compliments the existing Actionlint scanning.

For more information about Actionlint and Zizmor, see the GitHub Actions Workflow Standards page in the developer handbook: https://developer.wordpress.org/coding-standards/wordpress-coding-standards/github-actions/

Some issues in workflow files that are reported by Zizmor will be addressed in follow-up commits.

Props johnbillion, desrosj.

See #64227

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/.github/workflows/reusable-workflow-lint.yml

    r61663 r62250  
    3333        with:
    3434          args: "-color -verbose"
     35
     36  # Runs the Zizmor GitHub Action workflow file linter.
     37  #
     38  # See https://github.com/zizmorcore/zizmor
     39  #
     40  # This helps guard against supply chain attacks, unpinned dependencies, excessive permissions,
     41  # dangerous triggers, credential leaks, and sophisticated security vulnerabilities.
     42  #
     43  # Performs the following steps:
     44  # - Checks out the repository.
     45  # - Installs and configures uv.
     46  # - Runs a zizmor scan.
     47  # - Uploads the SARIF file to GitHub.
     48  zizmor:
     49    name: Zizmor
     50    runs-on: ubuntu-24.04
     51    permissions:
     52      security-events: write
     53      actions: read
     54      contents: read
     55    steps:
     56      - name: Checkout repository
     57        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     58        with:
     59          persist-credentials: false
     60
     61      - name: Install the latest version of uv
     62        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
     63
     64      - name: Run zizmor
     65        run: uvx zizmor@1.24.1 --persona=regular --format=sarif --strict-collection . > results.sarif
     66        env:
     67          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     68
     69      - name: Upload SARIF file
     70        uses: github/codeql-action/upload-sarif@b1bff81932f5cdfc8695c7752dcee935dcd061c8 # v4.33.0
     71        with:
     72          sarif_file: results.sarif
     73          category: zizmor
Note: See TracChangeset for help on using the changeset viewer.