GHA/checksrc: check GHA rules with zizmor

The pedantic level is experimental. If it causes issues, we may just
disable it alongside the ignore comments.

Also:
- silence error:
  ```
   INFO audit: zizmor: completed label.yml
  error[dangerous-triggers]: use of fundamentally insecure workflow trigger
    --> label.yml:13:1
     |
  13 | 'on': [pull_request_target]
     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
     |
     = note: audit confidence -> Medium
  ```
- fix pedantic warning:
  ```
   INFO audit: zizmor: completed label.yml
  warning[excessive-permissions]: overly broad permissions
    --> label.yml:1:1
  ...  |
  24 | |         with:
  25 | |           repo-token: '${{ secrets.GITHUB_TOKEN }}'
     | |____________________________________________________- default permissions used due to no permissions: block
     |
     = note: audit confidence -> Medium
  ```
- silence `template-injection` false positives like:
  ```
  - note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code
  - note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code
  ```
  It doesn't seem like these could be controlled by an attacker.
  Let me know if I'm missing something.

Closes #17278
This commit is contained in:
Viktor Szakats 2025-05-07 18:56:27 +02:00
parent 283ad5c432
commit e522f47986
No known key found for this signature in database
GPG key ID: B5ABD165E2AEF201
5 changed files with 23 additions and 2 deletions

View file

@ -117,3 +117,18 @@ jobs:
run: |
grep -Ev '(\\bwill| url | dir )' .github/scripts/badwords.txt | \
.github/scripts/badwords.pl $(git ls-files -- src lib include)
ghacheck:
name: GHA analysis
runs-on: macos-latest
timeout-minutes: 1
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
with:
persist-credentials: false
name: checkout
- name: zizmor
run: |
brew install zizmor
zizmor --pedantic .github/workflows/*.yml