Skip to content

chore(ci): Move to zizmor action with stricter config #4808

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 4, 2025
Merged

chore(ci): Move to zizmor action with stricter config #4808

merged 3 commits into from
Oct 4, 2025

Conversation

npalm
Copy link
Member

@npalm npalm commented Oct 4, 2025
edited
Loading

This pull request primarily improves the security, clarity, and maintainability of the project's GitHub Actions workflows. The most significant changes include replacing the custom zizmor lint workflow with the official zizmor GitHub Action, updating permissions with explicit comments for better documentation, and upgrading action versions for enhanced security and reliability.

@npalm npalm requested a review from a team as a code owner October 4, 2025 11:11
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 4, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/github/codeql-action/analyze 64d10c13136e1c5bce3e5fbde8d4906eeaafc885 UnknownUnknown
actions/github/codeql-action/init 64d10c13136e1c5bce3e5fbde8d4906eeaafc885 UnknownUnknown
actions/github/codeql-action/upload-sarif dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 UnknownUnknown
actions/actions/checkout 08c6903cd8c0fde910a37f88322edcfb5dd907a8 🟢 6.8
Details
CheckScoreReason
Code-Review🟢 10all changesets reviewed
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Maintained🟢 57 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Binary-Artifacts🟢 10no binaries found in the repo
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
Packaging⚠️ -1packaging workflow not detected
Pinned-Dependencies🟢 3dependency not pinned by hash detected -- score normalized to 3
Fuzzing⚠️ 0project is not fuzzed
Signed-Releases⚠️ -1no releases found
Security-Policy🟢 9security policy file detected
Branch-Protection⚠️ -1internal error: error during GetBranch(releases/v2): error during branchesHandler.query: internal error: githubv4.Query: Resource not accessible by integration
SAST🟢 9SAST tool detected but not run on all commits
Vulnerabilities🟢 100 existing vulnerabilities detected
actions/zizmorcore/zizmor-action e673c3917a1aef3c65c972347ed84ccd013ecda4 UnknownUnknown

Scanned Files

  • .github/workflows/actions.yml
  • .github/workflows/codeql.yml
  • .github/workflows/ossf-scorecard.yml
  • .github/workflows/zizmor.yml

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@npalm npalm requested review from rjaegers and Copilot October 4, 2025 11:17
Copilot
Copilot AI reviewed Oct 4, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR improves the security, clarity, and maintainability of GitHub Actions workflows by replacing a custom zizmor lint workflow with the official zizmor GitHub Action and enhancing configuration documentation.

  • Replaced custom zizmor workflow with official zizmor-action for better maintainability
  • Added explicit comments to all permissions declarations for improved documentation
  • Updated action versions and enhanced security configurations

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated no comments.

Show a summary per file
File Description
.github/zizmor.yml Updated configuration with stricter security rules and clearer ignore patterns
.github/workflows/zizmor.yml New workflow using official zizmor-action with pedantic security analysis
.github/workflows/update-docs.yml Added permission comments and security improvements
.github/workflows/terraform.yml Fixed quoting and improved TFLint execution with environment variables
.github/workflows/stale.yml Restructured permissions with explanatory comments
.github/workflows/semantic-check.yml Added permission documentation comments
.github/workflows/release.yml Enhanced with permission comments and improved variable handling
.github/workflows/ossf-scorecard.yml Updated action version and improved permission documentation
.github/workflows/lambda.yml Simplified matrix strategy and pinned container image with digest
.github/workflows/dependency-review.yml Added job name and permission documentation
.github/workflows/codeql.yml Updated CodeQL action versions and improved comments
.github/workflows/actions.yml Removed custom zizmor workflow in favor of official action

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@npalm npalm merged commit 8e32c7b into main Oct 4, 2025
42 checks passed
@npalm npalm deleted the npalm/zizmor branch October 4, 2025 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@rjaegers rjaegers rjaegers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@npalm @rjaegers