zizmor security actions

Author: jamesc-grafana

.github/workflows/dependabot-automerge.yaml

@@ -31,7 +31,7 @@ jobs:
     steps:
       - name: Generate token
         id: generate-token
-        uses: tibdex/github-app-token@v1
+        uses: tibdex/github-app-token@32691ba7c9e7063bd457bd8f2a5703138591fa58 # v1
         continue-on-error: true
         with:
           app_id: ${{ secrets.DEPENDABOTREVIEWER_ID }}
@@ -40,9 +40,10 @@ jobs:
         id: dependabot-metadata
         uses: dependabot/fetch-metadata@v1.5.1
       - name: Enable auto-merge for Dependabot PRs
-        run: gh pr merge --auto --${{ inputs.repository-merge-method }} "$PR_URL"
+        run: gh pr merge --auto --${MERGE_METHOD} "$PR_URL"
         env:
           GITHUB_TOKEN: ${{ steps.generate-token.outputs.token || secrets.envPAT || secrets.GITHUB_TOKEN}}
+          MERGE_METHOD: ${{ inputs.repository-merge-method }}
       - name: Approve patch updates
         if: ${{ steps.dependabot-metadata.outputs.update-type == 'version-update:semver-patch' }}
         run: gh pr review $PR_URL --approve -b "**Approving** patch update"

.github/workflows/self-zizmor.yaml

@@ -0,0 +1,19 @@
+name: zizmor GitHub Actions static analysis
+on:
+  push:
+  pull_request:
+
+jobs:
+  zizmor:
+    name: Run zizmor from current branch (self test)
+
+    permissions:
+      actions: read
+      contents: read
+
+      pull-requests: write
+      security-events: write
+
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@5946b80e86f32bb4d208c2483c58345bbeef03d2
+    with:
+      codeql-enabled: false

.github/workflows/snyk_monitor.yml

@@ -7,23 +7,17 @@ on:
         required: true
 jobs:
   snyk_scans:
-
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3
+        with:
+          persist-credentials: false
       - name: Run Snyk to import ${{ github.event.repository.name }} to Snyk
         continue-on-error: true
-        uses: snyk/actions/golang@master
+        uses: snyk/actions/golang@4a528b5c534bb771b6e3772656a8e0e9dc902f8b # master
         env:
           SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
         with:
           command: monitor
-          args:  --strict-out-of-sync=false --all-projects --exclude=devenv --tags=repo=${{ github.event.repository.name }}
-
-
-
-
-
-
-
+          args: --strict-out-of-sync=false --all-projects --exclude=devenv --tags=repo=${{ github.event.repository.name }}

trivy/action.yml

@@ -69,14 +69,16 @@ runs:
     - name: "Comment the Trivy diff"
       env:
         GITHUB_TOKEN: ${{ inputs.github-token }}
-        BRANCH_NAME: ${{ github.head_ref || github.ref_name }} 
+        BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
+        PR_NUMBER: ${{ github.event.pull_request.number }}
+        BASE_REF: ${{ github.base_ref }}
       run: |
         output=$(cat output.txt)
         if [ "$output" == "No new vulnerabilities found." ]; then
           echo "No new vulnerabilities found."
           exit 0
         else
-          comment=$(echo -e "### New vulnerabilities introduced in branch $BRANCH_NAME compared to ${{ github.base_ref }}\n\n" ; jq -r '.[] | "* \(.VulnerabilityID), Severity: \(.Severity), Package: \(.PkgName), Installed: \(.InstalledVersion), Fixed: \(.FixedVersion // "N/A")"' output.txt)
-          gh pr comment ${{ github.event.pull_request.number }} --body "$comment"
+          comment=$(echo -e "### New vulnerabilities introduced in branch $BRANCH_NAME compared to $BASE_REF\n\n" ; jq -r '.[] | "* \(.VulnerabilityID), Severity: \(.Severity), Package: \(.PkgName), Installed: \(.InstalledVersion), Fixed: \(.FixedVersion // "N/A")"' output.txt)
+          gh pr comment $PR_NUMBER --body "$comment"
         fi
       shell: bash