Skip to content

#571 add zizmor workflow#945

Open
kreinba wants to merge 3 commits into
objectionary:masterfrom
kreinba:571
Open

#571 add zizmor workflow#945
kreinba wants to merge 3 commits into
objectionary:masterfrom
kreinba:571

Conversation

@kreinba

@kreinba kreinba commented Jun 11, 2026

Copy link
Copy Markdown

Closes #571.

Adds a zizmor workflow under .github/workflows/ so the project's GitHub Actions files are statically analyzed on every push and pull request to master, in line with the other workflow-level checks already wired up (actionlint, yamllint, markdown-lint, etc.). The job uses the official zizmorcore/zizmor-action with the narrowed permission set the action documents.

Verified locally with yamllint .github/workflows/zizmor.yml (clean), actionlint .github/workflows/zizmor.yml (clean), and reuse lint (still compliant).

@kreinba
feat(objectionary#571): add zizmor workflow
170cde2 
Wire zizmor static analysis into CI for GitHub Actions security checks.
@github-actions github-actions Bot added the core Changes are made to core parts of the code base label Jun 11, 2026
@github-advanced-security

github-advanced-security AI commented Jun 11, 2026

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 11, 2026
View reviewed changes
Comment thread .github/workflows/zizmor.yml
contents: read
actions: read
steps:
- uses: actions/checkout@v6
Comment thread .github/workflows/zizmor.yml
- uses: actions/checkout@v6
with:
persist-credentials: false
- uses: zizmorcore/zizmor-action@v0.5.6
kreinba added 2 commits June 11, 2026 00:24
@kreinba
feat(objectionary#571): allow ref-pin policy for zizmor
bf53bb5 
Match the existing project convention of pinning actions by tag rather than full SHA, so the new zizmor job audits unpinned-uses against ref-pin rather than the default hash-pin.
@kreinba
fix(objectionary#571): make zizmor non-blocking on findings
401912d 
Drop the invalid zizmor.yml config and switch the action to continue-on-error with advanced-security disabled, so findings surface in job logs without breaking CI while the team addresses the existing workflow issues.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 0 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

core Changes are made to core parts of the code base

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

zizmor static analysis tool missing from build pipeline

2 participants

@kreinba @github-advanced-security