@@ -335,32 +335,33 @@ the vulnerabilities that need to be taken into account when using the library.
335335
336336Addressing common vulnerabilities in Github Actions
337337---------------------------------------------------
338- Vulnerabilities can exist in continuous integration pipelines the same way can exist in the codebase.
339- Therefore, it is important to secure your actions / workflows against known vulnerabilities to prevent
340- security breaches and supply chain attacks .
338+ Vulnerabilities can exist in continuous integration (CI) pipelines just as they can in a codebase.
339+ To reduce the risk of security breaches and supply chain attacks, it is important to secure your
340+ GitHub Actions workflows against known vulnerabilities .
341341
342- `zizmor `_ is a static analysis tool that can help audit Github Actions CI/CD setups. It provides functionality
343- for detecting common vulnerabilities and in some cases, fixing them. Refer to ` zizmor audit rules `_ for detailed
344- information about the rules ` zizmor ` applies when auditing workflows.
342+ `zizmor `_ is a static analysis tool that audits GitHub Actions CI/CD setups. It detects common
343+ vulnerabilities and, in some cases, can automatically fix them. For detailed information about
344+ the rules that zizmor applies when auditing workflows, see ` zizmor audit rules `_ .
345345
346346Auditing CI/CD setups in the PyAnsys ecosystem
347347~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
348- The recommended workflow auditing process for PyAnsys ecosystem projects is using the ``ansys/actions/check-actions-security ``
349- action. The action is wraps ``zizmor `` lightly to provide additional functionalities and configurations sensible for projects
350- within the ecosystem. Refer to `the check-actions-security-action documentation `_ for information on how to set it up.
348+ For PyAnsys ecosystem projects, the recommended way to audit workflows is to use the
349+ ``ansys/actions/check-actions-security `` action. The action wraps ``zizmor `` and provides
350+ additional functionality and configuration tailored to PyAnsys projects. For setup instructions,
351+ see `the check-actions-security-action documentation `_.
351352
352- How to fix common issues detected by ``zizmor ``
353- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
354- This section provides information on fixing common workflow vulnerabilities. Project maintainers can also consult the
355- following pull requests for examples of workflows / actions already fixed within the PyAnsys ecosystem:
353+ Fixing common issues detected by ``zizmor ``
354+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
355+ This section describes how to fix common workflow vulnerabilities.
356+ For practical examples, see these pull requests with fixes already applied in the PyAnsys ecosystem:
356357
357358- `Ansys actions security fixes 1 `_
358359- `Ansys actions security fixes 2 `_
359360- `Ansys actions security fixes 3 `_
360361- `PyConverter-XML2Py security fixes `_
361362
362- For vulnerabilities not list here, refer to `zizmor audit rules `_ for remediation steps. For more examples on fixing
363- issues detected by zizmor, consult `zizmor trophy case `_.
363+ For vulnerabilities not listed here, refer to `zizmor audit rules `_ for remediation steps.
364+ For additional examples of fixes, see the `zizmor trophy case `_.
364365
365366**artipacked **
366367
@@ -390,8 +391,8 @@ issues detected by zizmor, consult `zizmor trophy case`_.
390391
391392note ::
392393
393- When `` git `` commands requiring credentials to be persisted are executed in subsequent steps
394- within the same job, this vulnerability can be ignored. See `ignoring zizmor results `_
394+ When you run git commands that require persisted credentials in subsequent steps within the same job,
395+ you can ignore this audit finding. For details, see `ignoring zizmor results `_
395396
396397**unpinned-uses **
397398
@@ -425,12 +426,13 @@ issues detected by zizmor, consult `zizmor trophy case`_.
425426
426427note ::
427428
428- ``ansys/actions/check-actions-security `` has a ``trust-ansys-actions `` option that allows using tags
429- for ``ansys/actions ``. With this option, only external actions need to be pinned.
429+ The ``ansys/actions/check-actions-security `` action has a ``trust-ansys-actions `` option that
430+ allows you to use tags for ``ansys/actions ``.
431+ When this option is enabled, you only need to pin external actions.
430432
431433.. tip ::
432434
433- The `pinact `_ tool can be used to automatically pin versions of actions and reusable workflows.
435+ You can use the `pinact `_ tool to automatically pin versions of actions and reusable workflows.
434436
435437**github-env **
436438
@@ -561,8 +563,7 @@ issues detected by zizmor, consult `zizmor trophy case`_.
561563note ::
562564
563565 The trick is to pass state between steps using ``GITHUB_OUTPUT `` instead of ``GITHUB_ENV `` or ``GITHUB_PATH ``.
564- For commands expected to run on ``cmd `` or ``pwsh `` on windows runners, the principle is the same, only the
565- syntax changes.
566+ On Windows runners, the same principle applies when running commands in ``cmd `` or ``pwsh ``; only the syntax differs.
566567
567568**template-injection **
568569
@@ -638,12 +639,12 @@ issues detected by zizmor, consult `zizmor trophy case`_.
638639
639640note ::
640641
641- Notice that RUNNER_TEMP and GITHUB_WORKSPACE were not explicitly set in the ``env `` block. This
642- is because some github context variables have corresponding environment variables, such as `` runner.temp ``
643- and ``github.workspace `` in this case.
642+ Notice that `` RUNNER_TEMP `` and `` GITHUB_WORKSPACE `` were not explicitly set in the ``env `` block.
643+ Some GitHub context variables automatically map to environment variables, such as
644+ `` runner.temp `` to `` RUNNER_TEMP `` and ``github.workspace `` to `` GITHUB_WORKSPACE ``
644645
645- When corresponding environment variables are not automatically available, they must be set in the
646- `` env `` block of the job or step where they are needed before they can be used .
646+ If a corresponding environment variable is not automatically available, you must set it in the `` env ``
647+ block of the job or step where it is needed before you can use it .
647648
648649**excessive-permissions **
649650
@@ -784,23 +785,34 @@ Ignoring ``zizmor`` findings
784785
785786One-off comments
786787++++++++++++++++
787- While auditing workflows with zizmor, you may have to ignore audit findings that are not relevant
788- to your workflows. zizmor audits are ignored by adding a comment to any line within the span where
789- the audit finding is located, so long as it can be identified as a YAML comment.
788+ While auditing workflows with ``zizmor ``, you might need to ignore findings that are not relevant to your workflows.
789+ You can ignore ``zizmor `` audits by adding a YAML comment on any line within the span of the finding.
790790
791- The comment should be in the format ``# zizmor: ignore[rulename] ``, where ``<rulename> `` is audit rule type.
792- To ignore ``artipacked `` for example, ``# zizmor: ignore[artipacked] `` would be added. Ignoring
793- multiple audits within the same span is achieved by separating each rule with a comma, e.g.
794- ``zizmor: ignore[github-env,template-injection] ``.
791+ Use the following format:
795792
796- For more information, refer to `ignoring zizmor results `_.
793+ .. code :: yaml
794+
795+ # zizmor: ignore[<rule-name>]
796+
797+ artipacked `` rule:
798+
799+ .. code :: yaml
800+
801+ # zizmor: ignore[artipacked]
802+
803+
804+
805+ .. code :: yaml
806+ # zizmor: ignore[github-env,template-injection]
807+
808+ ignoring zizmor results `_.
797809
798810``zizmor.yml `` configuration file
799811+++++++++++++++++++++++++++++++++
800- A ``zizmor.yml `` configuration file is easier to maintain than one-off comments when ignoring multiple
801- findings or entire files .
812+ If you need to ignore multiple findings or entire files, a ``zizmor.yml `` configuration file is
813+ easier to maintain than one-off comments .
802814
803- A ``zizmor.yml `` may look like the following :
815+ A ``zizmor.yml `` file might look like this :
804816
805817.. code :: yaml
806818
@@ -818,9 +830,9 @@ A ``zizmor.yml`` may look like the following:
818830
819831
820832
821- - Declares that ``ansys/actions `` can be pinned with tags but ``actions/* `` must be pinned with a SHA.
822- - Ignores all ``template-injection `` findings in safe.yml, regardless of line/ column location.
823- - Ignores any ``template-injection `` findings in somewhat-safe.yml that occur on line 123
824- - Ignores one ``template-injection `` finding in one-exact-spot.yml that occurs on line 123, column 456
833+ - Declares that ``ansys/actions `` can be pinned with tags, but ``actions/* `` must be pinned with a SHA.
834+ - Ignores all ``template-injection `` findings in `` safe.yml `` , regardless of line or column location.
835+ - Ignores any ``template-injection `` findings in `` somewhat-safe.yml `` that occur on line 123.
836+ - Ignores one ``template-injection `` finding in `` one-exact-spot.yml `` that occurs on line 123, column 456.
825837
826- For more information, refer to `ignoring zizmor results `_.
838+ For more information, see `ignoring zizmor results `_.
0 commit comments