From 35974428def06109bcfb39ac3ade0fcfdbfcf6c8 Mon Sep 17 00:00:00 2001 From: Guney Can Gokoglu Date: Mon, 18 May 2026 11:43:31 +0300 Subject: [PATCH 1/3] feat: added zizmor --- .github/workflows/zizmor.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 .github/workflows/zizmor.yaml diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml new file mode 100644 index 0000000..ac36518 --- /dev/null +++ b/.github/workflows/zizmor.yaml @@ -0,0 +1,24 @@ +name: "GitHub Actions Security Analysis with zizmor \U0001F308" +on: + push: + branches: + - main + pull_request: + branches: + - '**' +permissions: {} +jobs: + zizmor: + name: "Run zizmor \U0001F308" + runs-on: ubuntu-latest + permissions: + security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files. + contents: read # Only needed for private repos. Needed to clone the repo. + actions: read # Only needed for private repos. Needed for upload-sarif to read workflow run info. + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: "Run zizmor \U0001F308" + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 From b2af8c3deadc1001d20840c29836a1d4fe81569a Mon Sep 17 00:00:00 2001 From: Guney Can Gokoglu Date: Mon, 18 May 2026 11:43:44 +0300 Subject: [PATCH 2/3] feat: updated release action --- .github/workflows/release.yaml | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 754ada2..2f638b1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,21 +1,24 @@ name: Create new version on: pull_request: - types: [closed] - + types: + - closed + branches: + - main +permissions: {} jobs: release: runs-on: ubuntu-latest name: Create a new release - + permissions: + contents: read if: github.event.pull_request.merged - steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2 with: fetch-depth: 0 - + persist-credentials: false - id: release - uses: poltio/action-release@main + uses: poltio/action-release@85f9196a86341209032ffbd779cb23ab7d8346d7 #latest with: token: ${{ secrets.GH_TOKEN }} From 8a3005cd68269a48ee8ee484b8bac88b7957f130 Mon Sep 17 00:00:00 2001 From: Guney Can Gokoglu Date: Mon, 18 May 2026 11:44:03 +0300 Subject: [PATCH 3/3] feat: updated action file to be complient with all the zizmor recommendations --- action.yaml | 74 ++++++++++++++++++++++++++++++++++------------------- 1 file changed, 48 insertions(+), 26 deletions(-) diff --git a/action.yaml b/action.yaml index 3990a7c..a49263e 100644 --- a/action.yaml +++ b/action.yaml @@ -1,49 +1,71 @@ -name: "Create a new Version Tag and Release" -description: "Increases semver number and creates a new tag and github release based on tag" - +name: Create a new Version Tag and Release +description: Increases semver number and creates a new tag and github release based on tag inputs: alias: - description: "Version alias, you can leave it blank or use the default v" + description: Version alias, you can leave it blank or use the default v required: false - default: "v" + default: v token: - description: "Your github token " + description: 'Your github token ' required: true - outputs: version: - description: "Newly generated version" + description: Newly generated version value: ${{ steps.newversion.outputs.version }} - runs: - using: "composite" + using: composite steps: - name: Get a new major version if: contains(github.event.pull_request.labels.*.name, 'major') - run: echo "app_version=$(bash ${{ github.action_path }}/release.sh -m )" >> $GITHUB_ENV shell: bash - + env: + ACTION_PATH: ${{ github.action_path }} + run: | # zizmor: ignore[github-env] + version_val="$(bash "$ACTION_PATH/release.sh" -m)" + delimiter="$(openssl rand -hex 8)" + echo "app_version<<$delimiter" >> "$GITHUB_ENV" + echo "$version_val" >> "$GITHUB_ENV" + echo "$delimiter" >> "$GITHUB_ENV" - name: get a new minor version if: contains(github.event.pull_request.labels.*.name, 'minor') && contains(github.event.pull_request.labels.*.name, 'major') != true - run: echo "app_version=$(bash ${{ github.action_path }}/release.sh -i )" >> $GITHUB_ENV shell: bash - + env: + ACTION_PATH: ${{ github.action_path }} + run: | # zizmor: ignore[github-env] + version_val="$(bash "$ACTION_PATH/release.sh" -i)" + delimiter="$(openssl rand -hex 8)" + echo "app_version<<$delimiter" >> "$GITHUB_ENV" + echo "$version_val" >> "$GITHUB_ENV" + echo "$delimiter" >> "$GITHUB_ENV" - name: get a new patched version number if: contains(github.event.pull_request.labels.*.name, 'minor') != true && contains(github.event.pull_request.labels.*.name, 'major') != true - run: echo "app_version=$(bash ${{ github.action_path }}/release.sh -p )" >> $GITHUB_ENV shell: bash - + env: + ACTION_PATH: ${{ github.action_path }} + run: | # zizmor: ignore[github-env] + version_val="$(bash "$ACTION_PATH/release.sh" -p)" + delimiter="$(openssl rand -hex 8)" + echo "app_version<<$delimiter" >> "$GITHUB_ENV" + echo "$version_val" >> "$GITHUB_ENV" + echo "$delimiter" >> "$GITHUB_ENV" - id: newversion - run: echo "version=${{ env.app_version }}" >> $GITHUB_OUTPUT + name: Set version output shell: bash - + # $app_version is safely available here as a native bash variable because it was written to $GITHUB_ENV in the previous steps + run: | # zizmor: ignore[github-env] + delimiter="$(openssl rand -hex 8)" + echo "version<<$delimiter" >> "$GITHUB_OUTPUT" + echo "$app_version" >> "$GITHUB_OUTPUT" + echo "$delimiter" >> "$GITHUB_OUTPUT" - name: Create release if: github.event.pull_request.merged == true - uses: softprops/action-gh-release@v1 - with: - token: ${{ inputs.token }} - body: ${{ github.event.pull_request.body }} - tag_name: ${{ env.app_version }} - name: "${{ env.app_version }}: ${{ github.event.pull_request.title }}" - draft: false - prerelease: false + shell: bash + env: + GH_TOKEN: ${{ inputs.token }} + TAG_NAME: ${{ env.app_version }} + PR_TITLE: ${{ github.event.pull_request.title }} + PR_BODY: ${{ github.event.pull_request.body }} + run: | + gh release create "$TAG_NAME" \ + --title "$TAG_NAME: $PR_TITLE" \ + --notes "$PR_BODY"