Conversation
--- Written by an agent (Claude Code, claude-opus-4-7).
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
📜 Recent review details⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
📝 WalkthroughWalkthroughAdds ChangesZizmor Security Scanning Workflow
Estimated code review effort🎯 2 (Simple) | ⏱️ ~12 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
There was a problem hiding this comment.
Pull request overview
Adds a GitHub Actions workflow to run zizmor against this repo’s workflows and publish findings to GitHub Code Scanning (SARIF) using least-privilege permissions.
Changes:
- Introduces
.github/workflows/zizmor.ymlto run on pushes tomain/release/**and PRs targeting those branches. - Uses workflow-level
permissions: {}with job-levelsecurity-events: write,contents: read,actions: read. - Pins
actions/checkoutandzizmorcore/zizmor-actionby commit SHA.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Fork PRs run with a read-only GITHUB_TOKEN, so the security-events: write permission isn't granted and the SARIF upload would fail. Switch to console output in that case so zizmor still runs and findings are visible in the job log. --- Written by an agent (Claude Code, claude-opus-4-7).
Resolves all 30 zizmor alerts reported on main after #11607: - template-injection (19): move `${{ ... }}` interpolations in `run:` blocks to `env:` so untrusted-ish values (workflow_dispatch inputs, github.ref_name, github.actor) can't break out of shell quoting. - artipacked (8): add `persist-credentials: false` to `actions/checkout` in audit, benchmark, ci, codeql-analysis, docker, release, test workflows. `update-lockfile.yml` keeps the persisted token (later step pushes to a branch) with a `zizmor: ignore[artipacked]` comment and justification. - dependabot-cooldown (1): add a 7-day cooldown so brand-new (potentially malicious) Actions releases don't get auto-PR'd day-of-release. - ref-version-mismatch (1): `bluwy/release-for-reddit-action` SHA pointed at the `v2` tag, not a non-existent `v2.0.0`. Fix the comment. - superfluous-actions (1): mark `softprops/action-gh-release` with a `zizmor: ignore` and justification — the release pipeline is sensitive and the action is battle-tested; we're not swapping it for `gh release` here. Verified locally with `zizmor --persona regular .github` (online audits on): No findings to report. Good job! (2 ignored, 32 suppressed) --- Written by an agent (Claude Code, claude-opus-4-7).
Summary
.github/workflows/zizmor.ymlrunning zizmor against the repo's GitHub Actions workflows.mainandrelease/**, and PRs targeting those branches.permissions: {}with job-level grants (security-events: write,contents: read,actions: read) so findings upload to the Code scanning alerts feed.actions/checkoutandzizmorcore/zizmor-actionby commit SHA, matching the pinning convention used elsewhere in.github/workflows/.Test plan
mainpushes.Written by an agent (Claude Code, claude-opus-4-7).
Summary by CodeRabbit