ci: gate optional Claude and security-scan jobs behind repository variables #133
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Workflow Checks | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - '.github/workflows/**' | |
| - '.github/actions/**' | |
| - '.github/zizmor.yml' | |
| pull_request: | |
| paths: | |
| - '.github/workflows/**' | |
| - '.github/actions/**' | |
| - '.github/zizmor.yml' | |
| permissions: {} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| actionlint: | |
| name: Actionlint | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run actionlint | |
| uses: docker://rhysd/actionlint:1.7.12@sha256:b1934ee5f1c509618f2508e6eb47ee0d3520686341fec936f3b79331f9315667 | |
| zizmor: | |
| name: Zizmor | |
| # Uploads SARIF to the Security tab, which requires GitHub code scanning to be | |
| # enabled on the repository. Set the ENABLE_WORKFLOW_SECURITY_SCAN repository | |
| # variable to 'false' to skip this job where code scanning isn't available; | |
| # leave it unset (the default) to run the scan. | |
| if: ${{ vars.ENABLE_WORKFLOW_SECURITY_SCAN != 'false' }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| security-events: write # Upload SARIF to GitHub Security tab | |
| contents: read # Read workflow files for analysis | |
| actions: read # Read workflow run metadata | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| persist-credentials: false | |
| - name: Run zizmor | |
| uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6 |