Skip to content

ci: add zizmor workflow for GitHub Actions security analysis#11607

Merged
zkochan merged 2 commits into
mainfrom
zizmor
May 12, 2026
Merged

ci: add zizmor workflow for GitHub Actions security analysis#11607
zkochan merged 2 commits into
mainfrom
zizmor

Conversation

@zkochan

@zkochan zkochan commented May 12, 2026

Copy link
Copy Markdown
Member

Summary

  • Adds .github/workflows/zizmor.yml running zizmor against the repo's GitHub Actions workflows.
  • Triggers: push to main and release/**, and PRs targeting those branches.
  • Empty workflow-level permissions: {} with job-level grants (security-events: write, contents: read, actions: read) so findings upload to the Code scanning alerts feed.
  • Pins actions/checkout and zizmorcore/zizmor-action by commit SHA, matching the pinning convention used elsewhere in .github/workflows/.

Test plan

  • Workflow runs on this PR and reports any findings under the Checks / Code scanning tab.
  • After merge, the workflow runs on main pushes.

Written by an agent (Claude Code, claude-opus-4-7).

Summary by CodeRabbit

  • Chores
    • Added an automated security and code-scanning workflow that runs on pushes and pull requests to main and release branches.
    • Enables advanced security uploads for main branch runs and for PRs originating from the same repository; for external PRs it reports findings without uploading scans.

Review Change Stack

---
Written by an agent (Claude Code, claude-opus-4-7).
Copilot AI review requested due to automatic review settings May 12, 2026 19:38
@coderabbitai

coderabbitai Bot commented May 12, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: cb68a903-3c11-4d0e-91b8-64b9ff3d8b4d

📥 Commits

Reviewing files that changed from the base of the PR and between f069d21 and 4ed7f48.

📒 Files selected for processing (1)
  • .github/workflows/zizmor.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/zizmor.yml
📜 Recent review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Compile & Lint

📝 Walkthrough

Walkthrough

Adds .github/workflows/zizmor.yml, a GitHub Actions workflow that triggers on pushes and PRs to main and release/**, scopes permissions minimally, checks out the repo without persisting credentials, and runs a pinned zizmorcore/zizmor-action with conditional advanced-security behavior.

Changes

Zizmor Security Scanning Workflow

Layer / File(s) Summary
Workflow triggers and permissions
.github/workflows/zizmor.yml
Defines workflow name and triggers for push/pull_request on main and release/**; sets global permissions to {} and job-level permissions (security-events: write, contents: read, actions: read).
Checkout and Zizmor action steps
.github/workflows/zizmor.yml
Adds pinned actions/checkout with persist-credentials: false, then runs a pinned zizmorcore/zizmor-action with advanced-security enabled only for non-PRs or PRs from the same repository (otherwise prints findings).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

A rabbit danced across the CI,
Hopping through workflows, swift and spry,
Zizmor scans with watchful eye,
Permissions snug, no secret sly,
🐰✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title 'ci: add zizmor workflow for GitHub Actions security analysis' directly and accurately describes the main change: adding a new GitHub Actions workflow for security analysis using zizmor.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch zizmor

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-advanced-security

Copy link
Copy Markdown
Contributor

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a GitHub Actions workflow to run zizmor against this repo’s workflows and publish findings to GitHub Code Scanning (SARIF) using least-privilege permissions.

Changes:

  • Introduces .github/workflows/zizmor.yml to run on pushes to main / release/** and PRs targeting those branches.
  • Uses workflow-level permissions: {} with job-level security-events: write, contents: read, actions: read.
  • Pins actions/checkout and zizmorcore/zizmor-action by commit SHA.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/zizmor.yml
Fork PRs run with a read-only GITHUB_TOKEN, so the security-events: write
permission isn't granted and the SARIF upload would fail. Switch to
console output in that case so zizmor still runs and findings are visible
in the job log.

---
Written by an agent (Claude Code, claude-opus-4-7).
@zkochan zkochan merged commit 6335860 into main May 12, 2026
15 checks passed
@zkochan zkochan deleted the zizmor branch May 12, 2026 19:48
zkochan added a commit that referenced this pull request May 12, 2026
Resolves all 30 zizmor alerts reported on main after #11607:

- template-injection (19): move `${{ ... }}` interpolations in `run:` blocks
  to `env:` so untrusted-ish values (workflow_dispatch inputs, github.ref_name,
  github.actor) can't break out of shell quoting.
- artipacked (8): add `persist-credentials: false` to `actions/checkout` in
  audit, benchmark, ci, codeql-analysis, docker, release, test workflows.
  `update-lockfile.yml` keeps the persisted token (later step pushes to a
  branch) with a `zizmor: ignore[artipacked]` comment and justification.
- dependabot-cooldown (1): add a 7-day cooldown so brand-new (potentially
  malicious) Actions releases don't get auto-PR'd day-of-release.
- ref-version-mismatch (1): `bluwy/release-for-reddit-action` SHA pointed at
  the `v2` tag, not a non-existent `v2.0.0`. Fix the comment.
- superfluous-actions (1): mark `softprops/action-gh-release` with a
  `zizmor: ignore` and justification — the release pipeline is sensitive and
  the action is battle-tested; we're not swapping it for `gh release` here.

Verified locally with `zizmor --persona regular .github` (online audits on):
  No findings to report. Good job! (2 ignored, 32 suppressed)

---
Written by an agent (Claude Code, claude-opus-4-7).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants