Skip to content

ci: switch to reusable workflow to run zizmor #156

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
crazy-max wants to merge 2 commits into
base: main
Choose a base branch
from
+17 −81
Open

ci: switch to reusable workflow to run zizmor #156

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
28f8975
ci: switch to reusable workflow to run zizmor
crazy-max Mar 25, 2026
7a04a20
fix zizmor findings
crazy-max Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,13 @@ updates:
directory: "/"
schedule:
interval: "daily"
cooldown:
default-days: 2
open-pull-requests-limit: 10
groups:
crazy-max-dot-github:
patterns:
- "crazy-max/.github/*"
labels:
- "area/dependencies"
- "bot"
38 changes: 2 additions & 36 deletions .github/workflows/.pr-assign-author.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
name: .pr-assign-author

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand All @@ -11,41 +10,8 @@ on:
- reopened

jobs:
assign-author:
runs-on: ubuntu-24.04
run:
uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
permissions:
contents: read
pull-requests: write
steps:
-
name: Assigning author to PR
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
with:
script: |
try {
const dt = context.payload?.pull_request;
if (!dt) {
throw new Error(`No pull request payload found, skipping.`);
}

const { assignees, number, user: { login: author, type } } = dt;
if (assignees.length > 0) {
throw new Error(`Pull request is already assigned to someone, skipping.`);
} else if (type !== 'User') {
throw new Error(`Not a user, skipping.`);
}

const respAdd = await github.rest.issues.addAssignees({
...context.repo,
issue_number: number,
assignees: [author]
});
core.debug(`addAssignees resp: ${JSON.stringify(respAdd, null, 2)}`);
if (respAdd.status !== 201) {
throw new Error(`Failed to assign @${author} to the pull request #${number}.`);
}

core.info(`@${author} has been assigned to the pull request #${number}`);
} catch (e) {
core.warning(e.message);
}
1 change: 0 additions & 1 deletion .github/workflows/.test-bake.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
name: .test-bake

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand Down
1 change: 0 additions & 1 deletion .github/workflows/.test-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
name: .test-build

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand Down
48 changes: 5 additions & 43 deletions .github/workflows/.zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,5 @@
name: .zizmor

# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
permissions:
contents: read

Expand All @@ -16,50 +15,13 @@ on:
- 'releases/v*'
pull_request:

env:
ZIZMOR_VERSION: 1.22.0 # https://github.com/zizmorcore/zizmor

jobs:
zizmor:
runs-on: ubuntu-24.04
uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
permissions:
contents: read
security-events: write
env:
TMPDIR: /tmp/zizmor
steps:
-
name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
-
name: Setup uv
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
with:
enable-cache: false
-
name: Install zizmor
run: |
set -ex
uv tool install zizmor@${ZIZMOR_VERSION}
-
name: Run zizmor
id: zizmor
run: |
mkdir -p ${TMPDIR}
set -ex
zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > ${TMPDIR}/zizmor.sarif
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
name: Zizmor crash report
if: ${{ failure() && steps.zizmor.conclusion == 'failure' }}
run: |
cat ${TMPDIR}/report-*.toml
-
name: Upload SARIF report
uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
with:
sarif_file: ${{ env.TMPDIR }}/zizmor.sarif
category: zizmor
with:
min-severity: medium
min-confidence: medium
persona: pedantic
4 changes: 4 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,3 +7,7 @@ rules:
- bake.yml
- build.yml
- verify.yml

# FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783
secrets-outside-env:
disable: true
Loading