Merge pull request #3463 from bdarnell/actions

ci: Analyze github action configs with zizmor
tornadoweb · Feb 21, 2025 · 641f0c2 · 641f0c2
2 parents 0ab655e + d564583
commit 641f0c2
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -17,6 +17,8 @@ on:
   workflow_dispatch:
     # Allow this workflow to be run manually (pushing to testpypi instead of pypi)
 
+permissions: {}
+
 env:
   python-version: '3.9'
 

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -9,6 +9,8 @@ name: Test
 
 on: pull_request
 
+permissions: {}
+
 jobs:
   # Before starting the full build matrix, run one test configuration
   # and the linter (the `black` linter is especially likely to catch
@@ -103,3 +105,15 @@ jobs:
       - name: Run test suite
         # TODO: figure out what's up with these log messages
         run: py -m tornado.test --fail-if-logs=false
+
+  zizmor:
+    name: Analyze action configs with zizmor
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+      - uses: astral-sh/setup-uv@v5
+        name: Install uv
+      - name: Run zizmor
+        run: uvx zizmor .github/workflows