From 28f8975b45dd815d02f6085308409bc38265ded1 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 25 Mar 2026 12:51:07 +0100 Subject: [PATCH 1/2] ci: switch to reusable workflow to run zizmor Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/workflows/.zizmor.yml | 48 ++++------------------------------- .github/zizmor.yml | 4 +++ 2 files changed, 9 insertions(+), 43 deletions(-) diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml index 69797bf8..41c24eef 100644 --- a/.github/workflows/.zizmor.yml +++ b/.github/workflows/.zizmor.yml @@ -1,6 +1,5 @@ name: .zizmor -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -16,50 +15,13 @@ on: - 'releases/v*' pull_request: -env: - ZIZMOR_VERSION: 1.22.0 # https://github.com/zizmorcore/zizmor - jobs: zizmor: - runs-on: ubuntu-24.04 + uses: crazy-max/.github/.github/workflows/zizmor.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 permissions: contents: read security-events: write - env: - TMPDIR: /tmp/zizmor - steps: - - - name: Checkout - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Setup uv - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0 - with: - enable-cache: false - - - name: Install zizmor - run: | - set -ex - uv tool install zizmor@${ZIZMOR_VERSION} - - - name: Run zizmor - id: zizmor - run: | - mkdir -p ${TMPDIR} - set -ex - zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > ${TMPDIR}/zizmor.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Zizmor crash report - if: ${{ failure() && steps.zizmor.conclusion == 'failure' }} - run: | - cat ${TMPDIR}/report-*.toml - - - name: Upload SARIF report - uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 - with: - sarif_file: ${{ env.TMPDIR }}/zizmor.sarif - category: zizmor + with: + min-severity: medium + min-confidence: medium + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml index efe8dec7..5c407488 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -7,3 +7,7 @@ rules: - bake.yml - build.yml - verify.yml + + # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783 + secrets-outside-env: + disable: true From 7a04a201ebe9f850ddf32f0748573ac23ebc7712 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Wed, 25 Mar 2026 12:54:23 +0100 Subject: [PATCH 2/2] fix zizmor findings Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com> --- .github/dependabot.yml | 6 ++++ .github/workflows/.pr-assign-author.yml | 38 ++----------------------- .github/workflows/.test-bake.yml | 1 - .github/workflows/.test-build.yml | 1 - .github/workflows/.zizmor.yml | 2 +- 5 files changed, 9 insertions(+), 39 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index e7d0e5b2..d75d49f1 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,7 +4,13 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 open-pull-requests-limit: 10 + groups: + crazy-max-dot-github: + patterns: + - "crazy-max/.github/*" labels: - "area/dependencies" - "bot" diff --git a/.github/workflows/.pr-assign-author.yml b/.github/workflows/.pr-assign-author.yml index a806bd98..f4333620 100644 --- a/.github/workflows/.pr-assign-author.yml +++ b/.github/workflows/.pr-assign-author.yml @@ -1,6 +1,5 @@ name: .pr-assign-author -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -11,41 +10,8 @@ on: - reopened jobs: - assign-author: - runs-on: ubuntu-24.04 + run: + uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 permissions: contents: read pull-requests: write - steps: - - - name: Assigning author to PR - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 - with: - script: | - try { - const dt = context.payload?.pull_request; - if (!dt) { - throw new Error(`No pull request payload found, skipping.`); - } - - const { assignees, number, user: { login: author, type } } = dt; - if (assignees.length > 0) { - throw new Error(`Pull request is already assigned to someone, skipping.`); - } else if (type !== 'User') { - throw new Error(`Not a user, skipping.`); - } - - const respAdd = await github.rest.issues.addAssignees({ - ...context.repo, - issue_number: number, - assignees: [author] - }); - core.debug(`addAssignees resp: ${JSON.stringify(respAdd, null, 2)}`); - if (respAdd.status !== 201) { - throw new Error(`Failed to assign @${author} to the pull request #${number}.`); - } - - core.info(`@${author} has been assigned to the pull request #${number}`); - } catch (e) { - core.warning(e.message); - } diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml index 2ae83e0a..746a59b7 100644 --- a/.github/workflows/.test-bake.yml +++ b/.github/workflows/.test-bake.yml @@ -1,6 +1,5 @@ name: .test-bake -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml index c8c81e59..b09471b5 100644 --- a/.github/workflows/.test-build.yml +++ b/.github/workflows/.test-build.yml @@ -1,6 +1,5 @@ name: .test-build -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml index 41c24eef..62cf85b7 100644 --- a/.github/workflows/.zizmor.yml +++ b/.github/workflows/.zizmor.yml @@ -17,7 +17,7 @@ on: jobs: zizmor: - uses: crazy-max/.github/.github/workflows/zizmor.yml@20ef82212dc54bab5749f5e05576ca6d3c8a5773 # v1.1.0 + uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0 permissions: contents: read security-events: write