pytest-dev · kingbuzzman · Jun 5, 2025 · Jun 4, 2025 · Jun 4, 2025 · Jun 4, 2025
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -25,6 +25,7 @@ jobs:
     timeout-minutes: 15
     permissions:
       contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -57,6 +58,13 @@ jobs:
         env:
           MATRIX_NAME: ${{ matrix.name }}
 
+      - name: Upload SARIF report into the GitHub repo code scanning
+        if: contains(matrix.name, 'linting')
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: zizmor.sarif
+          category: zizmor
+
       - name: Report coverage
         if: contains(matrix.name, 'coverage')
         uses: codecov/codecov-action@v5

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -4,3 +4,4 @@ rules:
       policies:
         actions/*: ref-pin
         codecov/codecov-action: ref-pin
+        github/*: ref-pin
diff --git a/.gitignore b/.gitignore
@@ -18,3 +18,4 @@ _build
 *.egg
 # autogenerated by setuptools-scm
 /pytest_django/_version.py
+zizmor.sarif
diff --git a/tox.ini b/tox.ini
@@ -44,11 +44,12 @@ commands =
 
 [testenv:linting]
 dependency_groups = linting
+allowlist_externals = sh
 commands =
     ruff check --diff {posargs:pytest_django pytest_django_test tests}
     ruff format --quiet --diff {posargs:pytest_django pytest_django_test tests}
     mypy {posargs:pytest_django pytest_django_test tests}
-    zizmor --persona=pedantic .github/workflows/deploy.yml .github/workflows/main.yml
+    sh -c "zizmor --persona=pedantic --format sarif .github/workflows/deploy.yml .github/workflows/main.yml > zizmor.sarif"
 
 [testenv:doc8]
 basepython = python3