diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml index 0a6a8f4..5521a92 100644 --- a/.github/workflows/actionci.yml +++ b/.github/workflows/actionci.yml @@ -14,10 +14,10 @@ on: type: boolean default: true zizmor-advanced-security: - description: Upload zizmor results to GitHub Advanced Security + description: Upload zizmor results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override. required: false - type: boolean - default: false + type: string + default: "" permissions: contents: read diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 95b39cb..5f752a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,17 +19,11 @@ concurrency: cancel-in-progress: true jobs: - actionlint: - name: Lint GitHub workflows - uses: ./.github/workflows/actionlint.yml - - zizmor: - name: Scan GitHub workflows - uses: ./.github/workflows/zizmor.yml - - frizbee: - name: Check action pinning - uses: ./.github/workflows/frizbee.yml + actionci: + uses: ./.github/workflows/actionci.yml + permissions: + contents: read + security-events: write lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid name: Lint dummy app diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 65e9e21..e73a7e0 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -3,9 +3,9 @@ on: workflow_call: inputs: advanced-security: - description: Upload results to GitHub Advanced Security - type: boolean - default: false + description: Upload results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override. + type: string + default: "" jobs: zizmor: @@ -20,4 +20,4 @@ jobs: with: min-severity: medium min-confidence: medium - advanced-security: ${{ inputs.advanced-security }} + advanced-security: ${{ (inputs.advanced-security == '' && github.repository_visibility == 'public') || inputs.advanced-security == 'true' }}