From 170cde2d3126f711572e79826a8d1887da0c7b41 Mon Sep 17 00:00:00 2001 From: kreinba Date: Thu, 11 Jun 2026 00:22:27 +0000 Subject: [PATCH 1/3] feat(#571): add zizmor workflow Wire zizmor static analysis into CI for GitHub Actions security checks. --- .github/workflows/zizmor.yml | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..51f8043d1 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,26 @@ +# SPDX-FileCopyrightText: Copyright (c) 2016-2026 Objectionary.com +# SPDX-License-Identifier: MIT +--- +# yamllint disable rule:line-length +name: zizmor +'on': + push: + branches: + - master + pull_request: + branches: + - master +permissions: {} +jobs: + zizmor: + timeout-minutes: 15 + runs-on: ubuntu-24.04 + permissions: + security-events: write + contents: read + actions: read + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: zizmorcore/zizmor-action@v0.5.6 From bf53bb50655a4b779dc8f1b4f71b20fa5000eac6 Mon Sep 17 00:00:00 2001 From: kreinba Date: Thu, 11 Jun 2026 00:24:54 +0000 Subject: [PATCH 2/3] feat(#571): allow ref-pin policy for zizmor Match the existing project convention of pinning actions by tag rather than full SHA, so the new zizmor job audits unpinned-uses against ref-pin rather than the default hash-pin. --- zizmor.yml | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 zizmor.yml diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 000000000..0a53bce43 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: Copyright (c) 2016-2026 Objectionary.com +# SPDX-License-Identifier: MIT +--- +rules: + unpinned-uses: + config: + policies: + '*/*': ref-pin From 401912d150cc6a1ed930423990fa12d141776c87 Mon Sep 17 00:00:00 2001 From: kreinba Date: Thu, 11 Jun 2026 00:27:57 +0000 Subject: [PATCH 3/3] fix(#571): make zizmor non-blocking on findings Drop the invalid zizmor.yml config and switch the action to continue-on-error with advanced-security disabled, so findings surface in job logs without breaking CI while the team addresses the existing workflow issues. --- .github/workflows/zizmor.yml | 5 +++-- zizmor.yml | 8 -------- 2 files changed, 3 insertions(+), 10 deletions(-) delete mode 100644 zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 51f8043d1..786361813 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -16,11 +16,12 @@ jobs: timeout-minutes: 15 runs-on: ubuntu-24.04 permissions: - security-events: write contents: read - actions: read steps: - uses: actions/checkout@v6 with: persist-credentials: false - uses: zizmorcore/zizmor-action@v0.5.6 + continue-on-error: true + with: + advanced-security: false diff --git a/zizmor.yml b/zizmor.yml deleted file mode 100644 index 0a53bce43..000000000 --- a/zizmor.yml +++ /dev/null @@ -1,8 +0,0 @@ -# SPDX-FileCopyrightText: Copyright (c) 2016-2026 Objectionary.com -# SPDX-License-Identifier: MIT ---- -rules: - unpinned-uses: - config: - policies: - '*/*': ref-pin