security.yml

name: security

on:
  workflow_call:

permissions:
  contents: read

jobs:
  pinact:
    name: pinact
    runs-on: ubuntu-latest
    permissions:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - uses: suzuki-shunsuke/pinact-action@cf51507d80d4d6522a07348e3d58790290eaf0b6 # v2.0.0
        with:
          min_age: "3" # require pinned action versions to be at least 3 days old
          skip_push: "true" # validate only; fail CI on unpinned actions

  zizmor:
    name: zizmor
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write # upload SARIF findings to Code Scanning
      actions: read # required by zizmor-action for private/internal repos
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false

      - name: Write zizmor config
        run: |
          cat > ./zizmor.yml <<'EOF'
          rules:
            dependabot-cooldown:
              config:
                days: 3
          EOF

      - name: Run zizmor
        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
        with:
          persona: pedantic
          config: ./zizmor.yml

  summary:
    name: summary
    permissions: {}
    if: always()
    needs:
      - pinact
      - zizmor
    runs-on: ubuntu-latest
    steps:
      - name: Print job results
        env:
          NEEDS_JSON: ${{ toJson(needs) }}
        run: |
          echo "'needs': ${NEEDS_JSON}"

      - name: Fail if any required job failed or was cancelled
        if: ${{ contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled') }}
        run: exit 1