Skip to content

zizmor workflow #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crazy-max wants to merge 2 commits into
base: main
Choose a base branch
from
+121 −4
Open

zizmor workflow #105

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d090934
zizmor workflow
crazy-max Feb 4, 2026
e7ccc69
zizmor: fix issues
crazy-max Feb 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,10 +1,11 @@
version: 2
updates:
- package-ecosystem: "github-actions"
open-pull-requests-limit: 10
directory: "/"
schedule:
interval: "daily"
cooldown:
default-days: 7
labels:
- "area/dependencies"
- "bot"
40 changes: 37 additions & 3 deletions .github/workflows/.pr-assign-author.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,51 @@
name: .pr-assign-author

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

on:
pull_request_target:
pull_request_target: # zizmor: ignore[dangerous-triggers] safe to use without checkout
types:
- opened
- reopened

jobs:
run:
uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@1b673f36fad86812f538c1df9794904038a23cbf
Copy link
Member Author

@crazy-max crazy-max Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

vendor this reusable worfklow here as zizmor does not support scan of transient workflows.

assign-author:
runs-on: ubuntu-24.04
permissions:
contents: read
pull-requests: write
steps:
-
name: Assigning author to PR
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
try {
const dt = context.payload?.pull_request;
if (!dt) {
throw new Error(`No pull request payload found, skipping.`);
}
const { assignees, number, user: { login: author, type } } = dt;
if (assignees.length > 0) {
throw new Error(`Pull request is already assigned to someone, skipping.`);
} else if (type !== 'User') {
throw new Error(`Not a user, skipping.`);
}
const respAdd = await github.rest.issues.addAssignees({
...context.repo,
issue_number: number,
assignees: [author]
});
core.debug(`addAssignees resp: ${JSON.stringify(respAdd, null, 2)}`);
if (respAdd.status !== 201) {
throw new Error(`Failed to assign @${author} to the pull request #${number}.`);
}
core.info(`@${author} has been assigned to the pull request #${number}`);
} catch (e) {
core.warning(e.message);
}
4 changes: 4 additions & 0 deletions .github/workflows/.test-bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
name: .test-bake

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand Down
4 changes: 4 additions & 0 deletions .github/workflows/.test-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
name: .test-build

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
Expand Down
65 changes: 65 additions & 0 deletions .github/workflows/.zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
name: .zizmor

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true

on:
workflow_dispatch:
push:
branches:
- 'main'
- 'releases/v*'
pull_request:

env:
ZIZMOR_VERSION: 1.22.0 # https://github.com/zizmorcore/zizmor

jobs:
zizmor:
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
env:
TMPDIR: /tmp/zizmor
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
-
name: Setup uv
uses: astral-sh/setup-uv@803947b9bd8e9f986429fa0c5a41c367cd732b41 # v7.2.1
with:
enable-cache: false
-
name: Install zizmor
run: |
set -ex
uv tool install zizmor@${ZIZMOR_VERSION}
-
name: Run zizmor
id: zizmor
run: |
mkdir -p ${TMPDIR}
set -ex
zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > ${TMPDIR}/zizmor.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
name: Zizmor crash report
if: ${{ failure() && steps.zizmor.conclusion == 'failure' }}
run: |
cat ${TMPDIR}/report-*.toml
-
name: Upload SARIF report
uses: github/codeql-action/upload-sarif@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
with:
sarif_file: ${{ env.TMPDIR }}/zizmor.sarif
category: zizmor
9 changes: 9 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
rules:
# rule does not apply to reusable worfklows where permissions are defined by
# the caller workflow and not the reusable workflow itself: https://github.com/docker/github-builder/issues/24
# https://docs.zizmor.sh/audits/#excessive-permissions
excessive-permissions:
ignore:
- bake.yml
- build.yml
- verify.yml
Loading