diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index d14f1843c5..2650970c12 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -3,6 +3,12 @@ name: Zizmor GitHub Actions Security Analysis on: workflow_call: + inputs: + persona: + description: 'Zizmor persona to use for analysis.' + required: false + default: regular + type: string push: branches: - main @@ -35,4 +41,4 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 with: - persona: pedantic + persona: ${{ inputs.persona || 'regular' }} diff --git a/zizmor/README.md b/zizmor/README.md index d062a85b9a..82b91c48f2 100644 --- a/zizmor/README.md +++ b/zizmor/README.md @@ -18,13 +18,27 @@ on: - cron: '45 9 * * 5' workflow_dispatch: -permissions: - contents: read - security-events: write +permissions: {} jobs: zizmor: + permissions: + contents: read # for actions/checkout + security-events: write # for zizmor to upload SARIF results uses: open-telemetry/shared-workflows/.github/workflows/zizmor.yml@ ``` -Pin `` to a commit SHA or release tag in this repository. No inputs or secrets are required. +Pin `` to a commit SHA or release tag in this repository. No inputs or secrets are required. The workflow uses zizmor's `regular` persona by default. + +To use a different persona, pass the `persona` input: + +```yaml +jobs: + zizmor: + permissions: + contents: read # for actions/checkout + security-events: write # for zizmor to upload SARIF results + uses: open-telemetry/shared-workflows/.github/workflows/zizmor.yml@ + with: + persona: pedantic +```