chore: add pinact, apply pinact (#817)

2025-12-23 08:47:33 +00:00 · 2025-05-18 19:11:03 -04:00 · 2025-05-18 19:11:03 -04:00 · a851cc907c
commit a851cc907c
parent d4b065bdde
5 changed files with 31 additions and 22 deletions
--- a/.github/pinact.yml
+++ b/.github/pinact.yml
@ -0,0 +1,6 @@
+version: 3
+
+files:
+  - pattern: workflows/*.yml
+  - pattern: ../docs/usage.md
+  - pattern: ../docs/audits.md
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@ -20,4 +20,4 @@ jobs:
          persist-credentials: false

      - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@006ecee4788dece29e278dcf69fa6bb01e09c47b # v0.0.1
+        uses: zizmorcore/zizmor-action@b2767f4d401a041e2d7b4b92f4c5c205e0e6e38a # v0.0.2
--- a/4
+++ b/4
@ -30,3 +30,7 @@ docs/snippets/sponsors.html: docs/snippets/sponsors.json docs/snippets/render-sp
 refresh-schemas:
 	curl https://json.schemastore.org/github-workflow.json > crates/zizmor/src/data/github-workflow.json
 	curl https://json.schemastore.org/github-action.json > crates/zizmor/src/data/github-action.json
+
+.PHONY: pinact
+pinact:
+	pinact run --update --verify
--- a/docs/audits.md
+++ b/docs/audits.md
@ -56,7 +56,7 @@ with `#!yaml persist-credentials: true`.
      artipacked:
        runs-on: ubuntu-latest
        steps:
-          - uses: actions/checkout@v4
+          - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    ```

 === "After :white_check_mark:"
@ -68,7 +68,7 @@ with `#!yaml persist-credentials: true`.
      artipacked:
        runs-on: ubuntu-latest
        steps:
-          - uses: actions/checkout@v4
+          - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
            with:
              persist-credentials: false
    ```
@ -337,13 +337,13 @@ by default, and then set specific job-level permissions as needed.

            steps:
              - name: Download distributions
-                uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+                uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
                with:
                  name: distributions
                  path: dist/

              - name: publish
-                uses: pypa/gh-action-pypi-publish@v1.12.4
+                uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
        ```

    === "After :white_check_mark:"
@ -374,13 +374,13 @@ by default, and then set specific job-level permissions as needed.

            steps:
              - name: Download distributions
-                uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
+                uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
                with:
                  name: distributions
                  path: dist/

              - name: publish
-                uses: pypa/gh-action-pypi-publish@v1.12.4
+                uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
        ```

 ## `forbidden-uses`
@ -725,7 +725,7 @@ Address the source of obfuscation by simplifying the expression,
            runs-on: ubuntu-latest
            steps:
              - name: Checkout
-                uses: actions/checkout@v4
+                uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
                with:
                  repository: ${{ format('{0}/{1}', 'octocat', 'hello-world') }}
        ```
@ -738,7 +738,7 @@ Address the source of obfuscation by simplifying the expression,
            runs-on: ubuntu-latest
            steps:
              - name: Checkout
-                uses: actions/checkout@v4
+                uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
                with:
                  repository: octocat/hello-world
        ```
@ -1306,7 +1306,7 @@ For Docker actions (like `docker://ubuntu`): add an appropriate
          unpinned-uses:
              runs-on: ubuntu-latest
              steps:
-              - uses: actions/checkout@v4 # (1)!
+              - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
                with:
                persist-credentials: false

@ -1316,9 +1316,6 @@ For Docker actions (like `docker://ubuntu`): add an appropriate
                args: hello!
        ```

-        1. Or `actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683` for a SHA-pinned action.
-
-
 ## `unredacted-secrets`

 | Type     | Examples                | Introduced in | Works offline  | Enabled by default | Configurable |
--- a/docs/usage.md
+++ b/docs/usage.md
@ -327,7 +327,7 @@ sensitive `zizmor`'s analyses are:
    as its pin instead of a hashed pin:

    ```yaml
-    uses: actions/checkout@v3
+    uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
    ```

    produces:
@ -434,16 +434,18 @@ Multiple different audits can be ignored with a single comment by
 separating each rule with a comma, e.g.
 `# zizmor: ignore[artipacked,ref-confusion]`.

-To ignore a single `artipacked` finding:
+To ignore a single `template-injection` finding:

 ```yaml title="example.yml"
-uses: actions/checkout@v3 # zizmor: ignore[artipacked]
+run: | # zizmor: ignore[template-injection]
+  echo "${{ github.event.issue.title }}"
 ```

 Ignore comments can also have a trailing explanation:

 ```yaml title="example.yml"
-uses: actions/checkout@v3 # zizmor: ignore[artipacked] this is actually fine
+run: | # zizmor: ignore[template-injection] i promise this is safe
+  echo "${{ github.event.issue.title }}"
 ```

 !!! important
@ -586,12 +588,12 @@ two primary ways to use `zizmor` in GitHub Actions:
          actions: read # only needed for private repos
        steps:
          - name: Checkout repository
-            uses: actions/checkout@v4
+            uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
            with:
              persist-credentials: false

          - name: Install the latest version of uv
-            uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0
+            uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1

          - name: Run zizmor 🌈
            run: uvx zizmor --format=sarif . > results.sarif # (2)!
@ -599,7 +601,7 @@ two primary ways to use `zizmor` in GitHub Actions:
              GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} # (1)!

          - name: Upload SARIF file
-            uses: github/codeql-action/upload-sarif@v3
+            uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f # v3.28.18
            with:
              sarif_file: results.sarif
              category: zizmor
@ -657,10 +659,10 @@ two primary ways to use `zizmor` in GitHub Actions:
          actions: read # only needed for private repos
        steps:
          - name: Checkout repository
-            uses: actions/checkout@v4
+            uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

          - name: Install the latest version of uv
-            uses: astral-sh/setup-uv@v5
+            uses: astral-sh/setup-uv@6b9c6063abd6010835644d4c2e1bef4cf5cd0fca # v6.0.1

          - name: Run zizmor 🌈
            run: uvx zizmor --format=github . # (2)!