Summary
After resolving the critical trivy-action vulnerability (GHSA-69fq-xp46-6x23) and suppressing known low/medium findings, zizmor CI now passes. However, several categories of findings are suppressed rather than fixed and should be addressed incrementally.
Suppressed findings to address
1. secrets-outside-env (89 findings, medium severity)
Secrets are referenced in workflows without dedicated GitHub Environments. Adding environments provides:
- Environment protection rules (required reviewers, wait timers)
- Environment-scoped secrets (reduces blast radius)
- Deployment branch restrictions
Affected workflows (15+): ci-slow.yml, claude.yml, integration-test-*.yml, linting.yml, notify-changelog.yml, pr_workspace_deploy.yml, publish_docker_image.yml, release.yml, release_prepare.yml, snack-it.yml, unit-test.yml, weekly-agent-pipelines-test.yml
Effort: Medium-high. Requires creating GitHub Environments, scoping secrets to them, and updating workflow files. Should be done incrementally per-workflow.
2. superfluous-actions (3 findings, low severity)
peter-evans/find-comment and peter-evans/create-or-update-comment duplicate functionality available via gh pr comment / gh issue comment which is already available on the runner.
Affected workflows: check-links.yml, validate-changelog.yml, performance-profiling.yml
Effort: Low. Replace the action steps with gh CLI commands in a run: block.
3. Previously tracked: excessive-permissions and artipacked (see #4658)
These are already tracked in #4658.
References
- zizmor docs: https://docs.zizmor.sh/
- Config:
.github/zizmor.yml
- Run locally:
GH_TOKEN=$(gh auth token) uvx zizmor --config=.github/zizmor.yml .github/workflows/
Summary
After resolving the critical
trivy-actionvulnerability (GHSA-69fq-xp46-6x23) and suppressing known low/medium findings, zizmor CI now passes. However, several categories of findings are suppressed rather than fixed and should be addressed incrementally.Suppressed findings to address
1.
secrets-outside-env(89 findings, medium severity)Secrets are referenced in workflows without dedicated GitHub Environments. Adding environments provides:
Affected workflows (15+):
ci-slow.yml,claude.yml,integration-test-*.yml,linting.yml,notify-changelog.yml,pr_workspace_deploy.yml,publish_docker_image.yml,release.yml,release_prepare.yml,snack-it.yml,unit-test.yml,weekly-agent-pipelines-test.ymlEffort: Medium-high. Requires creating GitHub Environments, scoping secrets to them, and updating workflow files. Should be done incrementally per-workflow.
2.
superfluous-actions(3 findings, low severity)peter-evans/find-commentandpeter-evans/create-or-update-commentduplicate functionality available viagh pr comment/gh issue commentwhich is already available on the runner.Affected workflows:
check-links.yml,validate-changelog.yml,performance-profiling.ymlEffort: Low. Replace the action steps with
ghCLI commands in arun:block.3. Previously tracked:
excessive-permissionsandartipacked(see #4658)These are already tracked in #4658.
References
.github/zizmor.ymlGH_TOKEN=$(gh auth token) uvx zizmor --config=.github/zizmor.yml .github/workflows/