Skip to content

[plan] Verify zizmor scan shows reduced obfuscation count #12939

New issue
New issue
Closed as not planned
Closed as not planned
[plan] Verify zizmor scan shows reduced obfuscation count#12939
Labels
ai-generatedcookieIssue Monster Loves Cookies!plan
@github-actions

Description

@github-actions
github-actions
bot
opened on Jan 31, 2026

Objective

Run the zizmor security scanner to verify that the obfuscation issue count has been reduced from 126 to 0 (or near-zero) after recompiling workflows.

Context

From discussion #12933: After fixing the compiler and recompiling workflows, we should verify the fix by running the same static analysis tool that detected the issue.

Current State: 126 obfuscation warnings across 63 workflows
Expected State: 0-10 warnings (some may remain if legitimate)

Prerequisites

This task depends on:

  1. ✅ Compiler updated (Issue rejig docs #1)
  2. ✅ Tests pass (Issue Add workflow: githubnext/agentics/weekly-research #2)
  3. ✅ Workflows recompiled (Issue Add workflow: githubnext/agentics/weekly-research #3)

Approach

  1. Install zizmor (if not already available):

    cargo install zizmor  # or appropriate installation method

  2. Run scan on recompiled workflows:

    zizmor .github/workflows/*.lock.yml --format json > zizmor-results.json

  3. Count obfuscation issues:

    jq '[.results[].violations[] | select(.slug == "obfuscation")] | length' zizmor-results.json

  4. Review any remaining obfuscation warnings to determine if legitimate

Expected Results

Before Fix: 126 obfuscation warnings
After Fix: 0-10 warnings (ideally 0)

If any warnings remain, document:

  • Which workflows still have the issue
  • Why the compiler didn't fix them (dynamic values?)
  • Whether they're legitimate use cases

Validation Checklist

  • Zizmor installed and runs successfully
  • Scan completes on all workflow files
  • Obfuscation count significantly reduced (>90%)
  • Remaining warnings (if any) are documented
  • Results saved for comparison in future scans

Documentation

Create a summary comment in discussion #12933:

  • Before: 126 obfuscation warnings
  • After: X warnings
  • Reduction: Y% improvement
  • Remaining issues: [list if any]

Acceptance Criteria

  • Zizmor scan runs successfully
  • Obfuscation count reduced to <10
  • Results documented in discussion comment
  • Any remaining warnings explained

Related

Discussion #12933 - Static Analysis Report (Item 2: Obfuscation)

AI generated by Plan Command for discussion #12933

Metadata

Metadata

Assignees

No one assigned

    Labels

    ai-generatedcookieIssue Monster Loves Cookies!plan

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions