mirror of
https://github.com/actions/setup-java.git
synced 2026-07-08 14:21:50 +00:00
The `if:` key on the "Upload SARIF results to code scanning" step had no
indentation, producing invalid YAML ("Nested mappings are not allowed in
compact mappings"). This broke `npm run format-check` (prettier) in Basic
validation.
Indent `if:` to 8 spaces so it nests under the step alongside uses/with.
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
49 lines
1.2 KiB
YAML
49 lines
1.2 KiB
YAML
name: Security analysis with zizmor
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- releases/*
|
|
paths-ignore:
|
|
- '**.md'
|
|
pull_request:
|
|
paths-ignore:
|
|
- '**.md'
|
|
workflow_dispatch:
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
zizmor:
|
|
name: Analyze workflows with zizmor
|
|
runs-on: ubuntu-latest
|
|
permissions:
|
|
contents: read
|
|
security-events: write # to upload SARIF results to code scanning
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@v6
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Set up Python
|
|
uses: actions/setup-python@v5
|
|
with:
|
|
python-version: '3.x'
|
|
|
|
- name: Install zizmor
|
|
run: pip install zizmor
|
|
|
|
- name: Run zizmor
|
|
run: zizmor --format sarif .github/workflows/ > zizmor.sarif
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Upload SARIF results to code scanning
|
|
if: always() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository)
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: zizmor.sarif
|
|
category: zizmor
|