Skip to content

Improved existing setup for zizmorchecks #1062

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Sandijigs wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Improved existing setup for zizmorchecks #1062

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
b4e6c86
Improved existing setup for zizmorchecks
Sandijigs Jun 3, 2026
b8da600
Merge branch 'master' into fix/zizmor-use-official-action
Sandijigs Jun 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 11 additions & 12 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,25 +15,24 @@ concurrency:
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
cancel-in-progress: true

# Minimal permissions for auditing
permissions:
contents: read
permissions: {}

jobs:
zizmor:
name: Run zizmor security audit
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
steps:
# Checkout repository without persisting credentials to reduce attack surface
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Install zizmor
run: |
curl -sSL https://github.com/woodruffw/zizmor/releases/download/v1.24.1/zizmor-x86_64-unknown-linux-gnu.tar.gz | tar -xz
chmod +x zizmor
sudo mv zizmor /usr/local/bin/

- name: Run zizmor audit
run: zizmor --persona pedantic --min-severity low .github/workflows
- name: Run zizmor
uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
with:
Copy link
Copy Markdown
Contributor

@ubiratansoares ubiratansoares Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should also opt-out from Github Advance Security, since we want to fail the CI in case there are any zizmor findings, at least for now

inputs: .github/workflows
Copy link
Copy Markdown
Contributor

@ubiratansoares ubiratansoares Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since the default path for inputs collection is ., we can remove this one

persona: pedantic
min-severity: low
Comment on lines +36 to +38
Copy link
Copy Markdown
Contributor

@ubiratansoares ubiratansoares Jun 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I got this input correctly, it acts like a filter for findings. Most likely we don't want to have any filters