ci: zizmor workflow by crazy-max · Pull Request #52362 · moby/moby

crazy-max · 2026-04-15T10:25:02Z

see fixed alerts in https://github.com/moby/moby/security/code-scanning?query=pr%3A52362+is%3Aclosed

github-advanced-security · 2026-04-15T10:25:28Z

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

thaJeztah · 2026-04-15T10:29:29Z

+name: zizmor
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}


😇 should use pr-number now?

no it should be pr number only when workflows have a pull_request_target trigger

Oh! For others it won't work to use it? (was wondering if we could/should use a uniform approach)

Yes pull_request_target is a special trigger that always run on default branch

thaJeztah · 2026-04-15T10:33:00Z

        name: Get base ref
        id: base-ref
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0


Ah! I need this on docker/cli as well; I was hoping dependabot would update my comments to use the full version, but it .. doesn't; docker/cli#6923 (comment)

Yes should always be the canonical ref otherwise it reports one of:

https://docs.zizmor.sh/audits/#ref-confusion

https://docs.zizmor.sh/audits/#ref-version-mismatch

https://docs.zizmor.sh/audits/#impostor-commit

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

thaJeztah · 2026-04-15T13:23:48Z

-    #        ┌───────────── minute (0 - 59)
-    #        │ ┌───────────── hour (0 - 23)
-    #        │ │ ┌───────────── day of the month (1 - 31)
-    #        │ │ │ ┌───────────── month (1 - 12)
-    #        │ │ │ │ ┌───────────── day of the week (0 - 6) (Sunday to Saturday)
-    #        │ │ │ │ │
-    #        │ │ │ │ │
-    #        │ │ │ │ │
-    #        * * * * *


Can we keep this one? Saves me a trip to <wherever> because I always forget the columns used 😂

Usually your favorite IDE highlights it

Heh, yeah, possibly; then again, I may look at these on GitHub to check what's in them, and not necessarily editing.

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

thaJeztah

LGTM

thaJeztah · 2026-04-16T10:26:00Z

Failures are unrelated

github-actions Bot added the area/ci label Apr 15, 2026

thaJeztah reviewed Apr 15, 2026

View reviewed changes

Comment thread .github/workflows/zizmor.yml

thaJeztah reviewed Apr 15, 2026

View reviewed changes

crazy-max force-pushed the zizmor branch 3 times, most recently from adf28d1 to 3c78508 Compare April 15, 2026 12:23

ci: zizmor workflow

0c87818

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

crazy-max force-pushed the zizmor branch 2 times, most recently from 9433bef to 5cdd48e Compare April 15, 2026 12:29

crazy-max requested review from thaJeztah and vvoland April 15, 2026 12:30

crazy-max force-pushed the zizmor branch from 5cdd48e to 3c67f7e Compare April 15, 2026 12:32

crazy-max marked this pull request as ready for review April 15, 2026 12:32

vvoland approved these changes Apr 15, 2026

View reviewed changes

thaJeztah reviewed Apr 15, 2026

View reviewed changes

thaJeztah mentioned this pull request Apr 16, 2026

Update docker/bake-action digest to a66e1c8 - autoclosed #52370

Closed

1 task

crazy-max added 2 commits April 16, 2026 11:25

fix zizmor findings

1743957

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

ci: use bake matrix subaction

2437d5d

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

crazy-max force-pushed the zizmor branch from 3c67f7e to 2437d5d Compare April 16, 2026 09:25

thaJeztah approved these changes Apr 16, 2026

View reviewed changes

thaJeztah added this to the 29.4.1 milestone Apr 16, 2026

thaJeztah added the status/4-merge label Apr 16, 2026

thaJeztah merged commit 2e888cb into moby:master Apr 16, 2026
185 of 187 checks passed

crazy-max deleted the zizmor branch April 16, 2026 11:03

thaJeztah mentioned this pull request Jun 3, 2026

gha: add zizmor workflow docker/cli#7024

Merged

Conversation

crazy-max commented Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-advanced-security AI commented Apr 15, 2026

What Enabling Code Scanning Means:

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

crazy-max Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Uh oh!

crazy-max Apr 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

thaJeztah left a comment

Choose a reason for hiding this comment

Uh oh!

thaJeztah commented Apr 16, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

crazy-max commented Apr 15, 2026 •

edited

Loading

crazy-max Apr 15, 2026 •

edited

Loading

crazy-max Apr 15, 2026 •

edited

Loading