Skip to content

Improved existing setup for zizmorchecks#1062

Open
Sandijigs wants to merge 2 commits into
rust-lang:masterfrom
Sandijigs:fix/zizmor-use-official-action
Open

Improved existing setup for zizmorchecks#1062
Sandijigs wants to merge 2 commits into
rust-lang:masterfrom
Sandijigs:fix/zizmor-use-official-action

Conversation

@Sandijigs
Copy link
Copy Markdown

@Sandijigs Sandijigs commented Jun 3, 2026

I kept the audit behavior the same as #1037 still pedantic persona, still
min-severity: low, still pointed at .github/workflows. The main difference
is that the install step is gone and the action now uploads its findings as
SARIF, so they show up in the Security tab instead of only in the workflow logs.

For that SARIF upload to work the job needs security-events: write,
contents: read, and actions: read, so I added those at the job level
and tightened the workflow-level permissions to {} while I was there.

The action is pinned by commit SHA (v0.5.6) to keep zizmor's own
unpinned-uses rule happy, same convention as #1037.

Closes #1061.

@rustbot rustbot added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Jun 3, 2026
@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Jun 3, 2026

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @Mark-Simulacrum (or someone else) some time within the next two weeks.

Why was this reviewer chosen?

The reviewer was selected based on:

  • Fallback group: @Mark-Simulacrum, internal-sites
  • @Mark-Simulacrum, internal-sites expanded to Mark-Simulacrum, Urgau, ehuss, jieyouxu
  • Random selection from Mark-Simulacrum, Urgau, ehuss, jieyouxu

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Jun 3, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@rustbot
Copy link
Copy Markdown
Collaborator

rustbot commented Jun 4, 2026

This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

ubiratansoares
ubiratansoares reviewed Jun 4, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@ubiratansoares ubiratansoares left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@Sandijigs Added some comments

View changes since this review

Comment thread .github/workflows/zizmor.yml
Comment on lines +36 to +38
inputs: .github/workflows
persona: pedantic
min-severity: low
Copy link
Copy Markdown
Contributor

@ubiratansoares ubiratansoares Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I got this input correctly, it acts like a filter for findings. Most likely we don't want to have any filters

Comment thread .github/workflows/zizmor.yml
run: zizmor --persona pedantic --min-severity low .github/workflows
- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
Copy link
Copy Markdown
Contributor

@ubiratansoares ubiratansoares Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also opt-out from Github Advance Security, since we want to fail the CI in case there are any zizmor findings, at least for now

Comment thread .github/workflows/zizmor.yml
- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
inputs: .github/workflows
Copy link
Copy Markdown
Contributor

@ubiratansoares ubiratansoares Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the default path for inputs collection is ., we can remove this one

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ubiratansoares ubiratansoares ubiratansoares left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@Mark-Simulacrum Mark-Simulacrum

Labels

S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Improve existing setup for zizmorchecks

5 participants

@Sandijigs @rustbot @github-advanced-security @ubiratansoares @Mark-Simulacrum