Problem
Github actions have some security footguns, i.e. https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Proposed Solution
Zizmor (https://github.com/zizmorcore/zizmor) provides static analysis to prevent such footguns.
I would like to integrate it as a github action that runs when a PR is open.
Not necessarily blocking but it clearly informs the author that there could be an issue, pointing to resources to understand it.
Here is an example
Additional context
Some jupyter repositories already use it such as https://github.com/pydata/pydata-sphinx-theme/blob/main/.github/workflows/zizmor.yml
Problem
Github actions have some security footguns, i.e. https://securitylab.github.com/resources/github-actions-preventing-pwn-requests/
Proposed Solution
Zizmor (https://github.com/zizmorcore/zizmor) provides static analysis to prevent such footguns.
I would like to integrate it as a github action that runs when a PR is open.
Not necessarily blocking but it clearly informs the author that there could be an issue, pointing to resources to understand it.
Here is an example
Additional context
Some jupyter repositories already use it such as https://github.com/pydata/pydata-sphinx-theme/blob/main/.github/workflows/zizmor.yml