#571 add zizmor workflow#945
Conversation
Wire zizmor static analysis into CI for GitHub Actions security checks.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
| contents: read | ||
| actions: read | ||
| steps: | ||
| - uses: actions/checkout@v6 |
| - uses: actions/checkout@v6 | ||
| with: | ||
| persist-credentials: false | ||
| - uses: zizmorcore/zizmor-action@v0.5.6 |
Match the existing project convention of pinning actions by tag rather than full SHA, so the new zizmor job audits unpinned-uses against ref-pin rather than the default hash-pin.
Drop the invalid zizmor.yml config and switch the action to continue-on-error with advanced-security disabled, so findings surface in job logs without breaking CI while the team addresses the existing workflow issues.
|
@rultor merge |
@volodya-lombrozo OK, I'll try to merge now. You can check the progress of the merge here. |
@kreinba @volodya-lombrozo Oops, I failed. You can see the full log here (spent 4min). |
|
@volodya-lombrozo Thanks for the review! You've earned +4 points for this: +12 as a basis; -5 for very few (2) comments; -4 for too few (27) hits-of-code; +1 to give you at least something. Your running score is +452; don't forget to check your Zerocracy account too). |
|
@rultor merge |
@volodya-lombrozo OK, I'll try to merge now. You can check the progress of the merge here. |
@kreinba @volodya-lombrozo Oops, I failed. You can see the full log here (spent 4min). |
|
Thanks for the contribution! Unfortunately this PR cannot be merged as-is because the repo requires all commits to have verified GPG or SSH signatures, and some commits here are unsigned. Please sign your commits (see https://docs.github.com/en/authentication/managing-commit-signature-verification/signing-commits) and feel free to reopen — we'd be happy to review it again. |
Closes #571.
Adds a
zizmorworkflow under.github/workflows/so the project's GitHub Actions files are statically analyzed on every push and pull request tomaster, in line with the other workflow-level checks already wired up (actionlint,yamllint,markdown-lint, etc.). The job uses the officialzizmorcore/zizmor-actionwith the narrowed permission set the action documents.Verified locally with
yamllint .github/workflows/zizmor.yml(clean),actionlint .github/workflows/zizmor.yml(clean), andreuse lint(still compliant).