chore: deploy agentic workflows (#35) #74
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Copyright 2026 ResQ Software | |
| # SPDX-License-Identifier: Apache-2.0 | |
| # | |
| # Thin caller for the org-wide reusable security-scan workflow in | |
| # resq-software/.github. | |
| name: security | |
| on: | |
| push: | |
| branches: [main, master] | |
| pull_request: | |
| schedule: | |
| - cron: '17 6 * * 1' | |
| workflow_dispatch: | |
| # No workflow-level permissions: the only job is a reusable-workflow call, | |
| # and reusable callers must declare the forwarded scopes on the job itself. | |
| permissions: {} | |
| jobs: | |
| scan: | |
| # Scopes are set here (not workflow-level) so they apply only to the | |
| # reusable call — avoids zizmor `excessive-permissions`. | |
| permissions: | |
| contents: read # checkout in the reusable's jobs | |
| security-events: write # reusable uploads CodeQL/zizmor SARIF | |
| pull-requests: read # reusable dependency-review reads PR diff | |
| actions: read # reusable CodeQL + zizmor jobs request it; | |
| # a reusable cannot exceed the caller's grant, | |
| # so omitting this fails the run at startup | |
| # SHA-pinned per org policy (mutable @main is rejected by zizmor | |
| # unpinned-uses). Trailing comment keeps Dependabot updates working; | |
| # matches the convention in ci.yml. | |
| uses: resq-software/.github/.github/workflows/security-scan.yml@73b9edb8f4f28a99f70ee22eb5e2dd2bf7807c84 # main (2026-06-01, #21) | |
| with: | |
| languages: '["actions"]' | |
| enable-semgrep: true | |
| # Forward only the secret this caller needs by name (semgrep is the only | |
| # enabled token-consuming scanner) instead of `secrets: inherit`, which | |
| # hands the reusable ALL of this repo's secrets — zizmor secrets-inherit. | |
| secrets: | |
| SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }} |