Skip to content

feat(79894): add zizmor workflow security audit and pin all action SHAs #23

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
bogdandina wants to merge 6 commits into
base: main
Choose a base branch
from
Open

feat(79894): add zizmor workflow security audit and pin all action SHAs #23

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
f1bfe06
feat(79894): add zizmor workflow security audit and pin all action SHAs
bogdandina May 12, 2026
252d354
feat(79897): fix security alerts
bogdandina May 13, 2026
f41e8bb
feat(79897): fix TS cache poison issue
bogdandina May 13, 2026
bed8a86
feat(79897): one more fix for cache poisoning issue
bogdandina May 13, 2026
c06b655
feat(79896): disable cache usage
bogdandina May 13, 2026
48e333e
feat(79897): fix
bogdandina May 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
46 changes: 24 additions & 22 deletions .github/workflows/ci-cd-java.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,12 +67,28 @@ jobs:
ref: ${{ steps.resolve_shared_workflow_ref.outputs.shared_workflow_ref }}
path: .shared-workflows

- name: Check if release build
id: release_check
env:
PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }}
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || \
"${GITHUB_REF}" == "refs/heads/develop" || \
"${GITHUB_REF}" == "refs/heads/aks-dev" || \
"${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT"

- name: Setup JDK
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
with:
distribution: 'temurin'
java-version: '25'
cache: 'maven'
cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'maven' || '' }}

- name: Validate Java version consistency
working-directory: ${{ inputs.workingDirectory }}
Expand Down Expand Up @@ -184,22 +200,8 @@ jobs:
build-args:
GITHUB_ACTOR=${{ github.actor }}

- name: Check if perform release
id: perform_release
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then
PERFORM_RELEASE=true
elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${{ inputs.performRelease }}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV
echo "Perform release: ${PERFORM_RELEASE}"

- name: Extract Docker metadata
if: ${{ env.PERFORM_RELEASE == 'true' }}
if: ${{ steps.release_check.outputs.perform_release == 'true' }}
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
Expand All @@ -213,25 +215,25 @@ jobs:
org.opencontainers.image.vendor=hsldevcom

- name: Setup Docker Buildx
if: ${{ env.PERFORM_RELEASE == 'true' }}
if: ${{ steps.release_check.outputs.perform_release == 'true' }}
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Login to Docker Hub
if: ${{ env.PERFORM_RELEASE == 'true' }}
if: ${{ steps.release_check.outputs.perform_release == 'true' }}
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}

- name: Build & Push Docker image
if: ${{ env.PERFORM_RELEASE == 'true' }}
if: ${{ steps.release_check.outputs.perform_release == 'true' }}
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: ${{ inputs.workingDirectory }}
push: ${{ env.PERFORM_RELEASE }}
push: ${{ steps.release_check.outputs.perform_release }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
secrets: |
github_token=${{ secrets.GITHUB_TOKEN }}
build-args: |
GITHUB_ACTOR=${{ github.actor }}
build-args: |
GITHUB_ACTOR=${{ github.actor }}
42 changes: 22 additions & 20 deletions .github/workflows/ci-cd-kotlin.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,12 +68,28 @@ jobs:
ref: ${{ env.SHARED_WORKFLOW_REF }}
path: .shared-workflows

- name: Check if release build
id: release_check
env:
PERFORM_RELEASE_INPUT: ${{ inputs.performRelease }}
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || \
"${GITHUB_REF}" == "refs/heads/develop" || \
"${GITHUB_REF}" == "refs/heads/aks-dev" || \
"${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${PERFORM_RELEASE_INPUT}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "perform_release=${PERFORM_RELEASE}" >> "$GITHUB_OUTPUT"

- name: Setup JDK
uses: actions/setup-java@c1e323688fd81a25caa38c78aa6df2d33d3e20d9 # v4.8.0
with:
distribution: 'temurin'
java-version: '11'
cache: 'gradle'
cache: ${{ steps.release_check.outputs.perform_release != 'true' && 'gradle' || '' }}

- name: Validate Java version consistency
env:
Expand Down Expand Up @@ -163,26 +179,12 @@ jobs:
push: 'false'
tags: 'hsldevcom/${{ env.IMAGE_NAME }}:${{ github.sha }}'

- name: Check if perform release
id: perform_release
run: |
PERFORM_RELEASE=false
if [[ "${GITHUB_REF}" == "refs/heads/main" || "${GITHUB_REF}" == "refs/heads/develop" || "${GITHUB_REF}" == "refs/heads/aks-dev" ]]; then
PERFORM_RELEASE=true
elif [[ "${GITHUB_REF}" == refs/tags/* ]]; then
PERFORM_RELEASE=true
elif [[ "${{ inputs.performRelease }}" == "true" ]]; then
PERFORM_RELEASE=true
fi
echo "PERFORM_RELEASE=${PERFORM_RELEASE}" >> $GITHUB_ENV
echo "Perform release: ${PERFORM_RELEASE}"

- name: Setup Docker Buildx
if: env.PERFORM_RELEASE == 'true'
if: steps.release_check.outputs.perform_release == 'true'
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

- name: Extract Docker metadata
if: env.PERFORM_RELEASE == 'true'
if: steps.release_check.outputs.perform_release == 'true'
id: meta
uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
with:
Expand All @@ -196,17 +198,17 @@ jobs:
org.opencontainers.image.vendor=hsldevcom

- name: Login to Docker Hub
if: env.PERFORM_RELEASE == 'true'
if: steps.release_check.outputs.perform_release == 'true'
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
with:
username: ${{ secrets.DOCKER_HUB_INFODEVOPS_USERNAME }}
password: ${{ secrets.DOCKER_HUB_INFODEVOPS_TOKEN }}

- name: Build & Push Docker image
if: env.PERFORM_RELEASE == 'true'
if: steps.release_check.outputs.perform_release == 'true'
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
with:
context: .
push: ${{ env.PERFORM_RELEASE }}
push: ${{ steps.release_check.outputs.perform_release }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
4 changes: 3 additions & 1 deletion .github/workflows/ci-cd-typescript.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,10 +38,10 @@ jobs:
fetch-depth: 2

- name: Install Node
# zizmor:ignore[cache-poisoning] Node binary tool-cache is implicit and cannot be disabled; no npm package cache is configured
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
with:
node-version: "lts/*"
cache: "npm"

- name: Install NPM dependencies
run: npm ci
Expand Down Expand Up @@ -105,6 +105,7 @@ jobs:
with:
context: .
load: true
no-cache: true
target: "${{ env.TEST_STAGE }}"
tags: "${{ env.IMAGE_NAME }}:${{ env.TEST_STAGE }}"

Expand All @@ -126,6 +127,7 @@ jobs:
with:
context: .
push: true
no-cache: true
target: "${{ env.PRODUCTION_STAGE }}"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
15 changes: 15 additions & 0 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,18 @@ jobs:

- name: Run script tests
run: pytest scripts/ -v

zizmor:
name: Workflow security audit (zizmor)
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
Loading