Skip to content

feat(ci): add zizmor workflow security scan to deb-packages#8

Merged
penso merged 1 commit intomainfrom
claude/add-zizmor-to-deb-packages
Jan 30, 2026
Merged

feat(ci): add zizmor workflow security scan to deb-packages#8
penso merged 1 commit intomainfrom
claude/add-zizmor-to-deb-packages

Conversation

@penso
Copy link
Copy Markdown
Collaborator

@penso penso commented Jan 30, 2026

Summary

  • Add a zizmor workflow security scan job to deb-packages.yml, matching the pattern in ci.yml
  • Gate all build jobs (build-deb, build-rpm, build-arch, build-appimage, build-snap, build-homebrew-binaries) on the zizmor check
  • Uses zizmorcore/zizmor-action pinned to SHA (v0.4.1) with advanced-security: false and online-audits: false

Test plan

  • Verify CI zizmor job passes on this PR

🤖 Generated with Claude Code

@penso @claude
feat(ci): add zizmor workflow security scan to deb-packages workflow
bd42ca1 
Gate all build jobs on a zizmor security scan, matching the pattern
used in the CI workflow.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@penso penso merged commit 6531aa8 into main Jan 30, 2026
4 checks passed
@penso penso deleted the claude/add-zizmor-to-deb-packages branch January 30, 2026 03:03
penso added a commit that referenced this pull request Mar 23, 2026
@penso @claude
feat(ci): add zizmor workflow security scan to deb-packages workflow (#8
0a42efc 
)

Gate all build jobs on a zizmor security scan, matching the pattern
used in the CI workflow.

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Cstewart-HC added a commit to Cstewart-HC/moltis-mini that referenced this pull request Apr 16, 2026
@Cstewart-HC
fix(code-index): address review items from P3/P4 audit
e002d2c 
Review fixes applied:
- #1: Extract require_str/opt_usize_or to moltis_tools::params — replaced
  local helpers with params::require_str() and params::u64_param() from
  the shared workspace crate
- #2: Unified error model — CodebaseSearchTool now returns
  Ok(json!({error:..., search_available: false})) for
  BackendUnavailable, matching Peek/Status pattern
- #3: u64→usize truncating cast replaced with usize::try_from().unwrap_or()
- #4: ensure_collections() error remapped from BackendUnavailable to
  IndexFailed { project_id, message }
- moltis-org#6: result.line as usize now clamped with .max(1) minimum
- moltis-org#7: compute_delta carries forward previous hash on hash errors so
  files aren't spuriously marked as removed
- moltis-org#8: Added doc comment noting that watcher batches may contain
  duplicate paths
- moltis-org#9: Extracted effective_extension() from filter.rs, removed
  duplication between filter.rs and watcher.rs
- moltis-org#11: Added tracing::debug! for skipped files in build_initial_snapshot
- moltis-org#12: Added 'drop to stop' documentation on CodeIndexWatcher::start()

32 tests pass, clippy clean.
Cstewart-HC added a commit to Cstewart-HC/moltis-mini that referenced this pull request Apr 16, 2026
@Cstewart-HC
fix(code-index): address review items from P3/P4 audit
ea1168e 
Review fixes applied:
- #1: Extract require_str/opt_usize_or to moltis_tools::params — replaced
  local helpers with params::require_str() and params::u64_param() from
  the shared workspace crate
- #2: Unified error model — CodebaseSearchTool now returns
  Ok(json!({error:..., search_available: false})) for
  BackendUnavailable, matching Peek/Status pattern
- #3: u64→usize truncating cast replaced with usize::try_from().unwrap_or()
- #4: ensure_collections() error remapped from BackendUnavailable to
  IndexFailed { project_id, message }
- moltis-org#6: result.line as usize now clamped with .max(1) minimum
- moltis-org#7: compute_delta carries forward previous hash on hash errors so
  files aren't spuriously marked as removed
- moltis-org#8: Added doc comment noting that watcher batches may contain
  duplicate paths
- moltis-org#9: Extracted effective_extension() from filter.rs, removed
  duplication between filter.rs and watcher.rs
- moltis-org#11: Added tracing::debug! for skipped files in build_initial_snapshot
- moltis-org#12: Added 'drop to stop' documentation on CodeIndexWatcher::start()

32 tests pass, clippy clean.
Cstewart-HC added a commit to Cstewart-HC/moltis-mini that referenced this pull request Apr 16, 2026
@Cstewart-HC
fix(code-index): address review items from P3/P4 audit
c54dc44 
Review fixes applied:
- #1: Extract require_str/opt_usize_or to moltis_tools::params — replaced
  local helpers with params::require_str() and params::u64_param() from
  the shared workspace crate
- #2: Unified error model — CodebaseSearchTool now returns
  Ok(json!({error:..., search_available: false})) for
  BackendUnavailable, matching Peek/Status pattern
- #3: u64→usize truncating cast replaced with usize::try_from().unwrap_or()
- #4: ensure_collections() error remapped from BackendUnavailable to
  IndexFailed { project_id, message }
- moltis-org#6: result.line as usize now clamped with .max(1) minimum
- moltis-org#7: compute_delta carries forward previous hash on hash errors so
  files aren't spuriously marked as removed
- moltis-org#8: Added doc comment noting that watcher batches may contain
  duplicate paths
- moltis-org#9: Extracted effective_extension() from filter.rs, removed
  duplication between filter.rs and watcher.rs
- moltis-org#11: Added tracing::debug! for skipped files in build_initial_snapshot
- moltis-org#12: Added 'drop to stop' documentation on CodeIndexWatcher::start()

32 tests pass, clippy clean.
Cstewart-HC added a commit to Cstewart-HC/moltis-mini that referenced this pull request Apr 16, 2026
@Cstewart-HC
fix(code-index): address review items from P3/P4 audit
738d39f 
Review fixes applied:
- #1: Extract require_str/opt_usize_or to moltis_tools::params — replaced
  local helpers with params::require_str() and params::u64_param() from
  the shared workspace crate
- #2: Unified error model — CodebaseSearchTool now returns
  Ok(json!({error:..., search_available: false})) for
  BackendUnavailable, matching Peek/Status pattern
- #3: u64→usize truncating cast replaced with usize::try_from().unwrap_or()
- #4: ensure_collections() error remapped from BackendUnavailable to
  IndexFailed { project_id, message }
- moltis-org#6: result.line as usize now clamped with .max(1) minimum
- moltis-org#7: compute_delta carries forward previous hash on hash errors so
  files aren't spuriously marked as removed
- moltis-org#8: Added doc comment noting that watcher batches may contain
  duplicate paths
- moltis-org#9: Extracted effective_extension() from filter.rs, removed
  duplication between filter.rs and watcher.rs
- moltis-org#11: Added tracing::debug! for skipped files in build_initial_snapshot
- moltis-org#12: Added 'drop to stop' documentation on CodeIndexWatcher::start()

32 tests pass, clippy clean.
Cstewart-HC added a commit to Cstewart-HC/moltis-mini that referenced this pull request Apr 16, 2026
@Cstewart-HC
fix(code-index): address review items from P3/P4 audit
246584e 
Review fixes applied:
- #1: Extract require_str/opt_usize_or to moltis_tools::params — replaced
  local helpers with params::require_str() and params::u64_param() from
  the shared workspace crate
- #2: Unified error model — CodebaseSearchTool now returns
  Ok(json!({error:..., search_available: false})) for
  BackendUnavailable, matching Peek/Status pattern
- #3: u64→usize truncating cast replaced with usize::try_from().unwrap_or()
- #4: ensure_collections() error remapped from BackendUnavailable to
  IndexFailed { project_id, message }
- moltis-org#6: result.line as usize now clamped with .max(1) minimum
- moltis-org#7: compute_delta carries forward previous hash on hash errors so
  files aren't spuriously marked as removed
- moltis-org#8: Added doc comment noting that watcher batches may contain
  duplicate paths
- moltis-org#9: Extracted effective_extension() from filter.rs, removed
  duplication between filter.rs and watcher.rs
- moltis-org#11: Added tracing::debug! for skipped files in build_initial_snapshot
- moltis-org#12: Added 'drop to stop' documentation on CodeIndexWatcher::start()

32 tests pass, clippy clean.
Cstewart-HC added a commit to Cstewart-HC/moltis-mini that referenced this pull request Apr 16, 2026
@Cstewart-HC
fix(code-index): address review items from P3/P4 audit
ad9c383 
Review fixes applied:
- #1: Extract require_str/opt_usize_or to moltis_tools::params — replaced
  local helpers with params::require_str() and params::u64_param() from
  the shared workspace crate
- #2: Unified error model — CodebaseSearchTool now returns
  Ok(json!({error:..., search_available: false})) for
  BackendUnavailable, matching Peek/Status pattern
- #3: u64→usize truncating cast replaced with usize::try_from().unwrap_or()
- #4: ensure_collections() error remapped from BackendUnavailable to
  IndexFailed { project_id, message }
- moltis-org#6: result.line as usize now clamped with .max(1) minimum
- moltis-org#7: compute_delta carries forward previous hash on hash errors so
  files aren't spuriously marked as removed
- moltis-org#8: Added doc comment noting that watcher batches may contain
  duplicate paths
- moltis-org#9: Extracted effective_extension() from filter.rs, removed
  duplication between filter.rs and watcher.rs
- moltis-org#11: Added tracing::debug! for skipped files in build_initial_snapshot
- moltis-org#12: Added 'drop to stop' documentation on CodeIndexWatcher::start()

32 tests pass, clippy clean.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@penso