diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 921f81ca..a577b387 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -25,6 +25,7 @@ jobs: timeout-minutes: 15 permissions: contents: read + security-events: write env: TOXENV: ${{ matrix.name }} steps: @@ -57,6 +58,13 @@ jobs: - name: Run tox run: tox + - name: Upload zizmor SARIF report into the GitHub repo code scanning + if: contains(matrix.name, 'linting') + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: zizmor.sarif + category: zizmor + - name: Report coverage if: contains(matrix.name, 'coverage') uses: codecov/codecov-action@v5 diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 2ed61128..a935769a 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -4,3 +4,4 @@ rules: policies: actions/*: ref-pin codecov/codecov-action: ref-pin + github/*: ref-pin diff --git a/.gitignore b/.gitignore index 35f1856e..27011bfa 100644 --- a/.gitignore +++ b/.gitignore @@ -18,3 +18,4 @@ _build *.egg # autogenerated by setuptools-scm /pytest_django/_version.py +zizmor.sarif diff --git a/tox.ini b/tox.ini index ccd5e381..59d4cb57 100644 --- a/tox.ini +++ b/tox.ini @@ -48,7 +48,7 @@ commands = ruff check --diff {posargs:pytest_django pytest_django_test tests} ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests} mypy {posargs:pytest_django pytest_django_test tests} - zizmor --persona=pedantic .github/workflows/deploy.yml .github/workflows/main.yml + python -c "import subprocess, sys; sys.exit(subprocess.call('zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif', shell=True))" [testenv:doc8] basepython = python3