Skip to content

Add zizmor GitHub workflow linter#798

Open
CarrotManMatt wants to merge 2 commits into
mainfrom
matt/add-zizmor-checks
Open

Add zizmor GitHub workflow linter#798
CarrotManMatt wants to merge 2 commits into
mainfrom
matt/add-zizmor-checks

Conversation

@CarrotManMatt

Copy link
Copy Markdown
Member

Also resolves suggestion audits by running the tool

@CarrotManMatt CarrotManMatt self-assigned this Jul 2, 2026
@CarrotManMatt CarrotManMatt added the deployment Changes to the deployment or CI/CD configuration label Jul 2, 2026
@MattyTheHacker MattyTheHacker requested a review from Copilot July 2, 2026 23:08

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces zizmor as a GitHub Actions/workflow linter (via pre-commit and zizmor.yaml) and applies a set of workflow hardening/cleanup changes consistent with running zizmor in “auditor” mode.

Changes:

  • Add zizmor configuration (zizmor.yaml) and install zizmor as a pre-commit hook.
  • Update multiple GitHub Actions workflows (concurrency, permissions, checkout credential handling, naming/labels) to address linter guidance.
  • Minor documentation/badge casing tweaks in README/CONTRIBUTING.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
zizmor.yaml Adds zizmor rule configuration (ignore + ref pin policy).
README.md Normalizes badge label casing.
CONTRIBUTING.md Normalizes “ruff” naming/casing in docs.
.pre-commit-config.yaml Adds zizmor pre-commit hook (auditor persona, autofix enabled).
.github/workflows/prevent-migrations-deletion.yaml Adds concurrency, adjusts permissions placement, tweaks naming/comments.
.github/workflows/pr-auto-updater.yaml Adds concurrency/default permissions reset and refines GitHub App token permissions.
.github/workflows/check-build-deploy.yaml Adds concurrency, refines checkout settings, splits pre-commit behavior by event, and refines publishing gates/metadata.
.github/workflows/autofix-pre-commit.yaml Adds concurrency and refines checkout/shell logic for running pre-commit (prek).
Comments suppressed due to low confidence (1)

.github/workflows/check-build-deploy.yaml:309

  • docker/build-push-action needs the repository contents (Dockerfile/build context), but this job never checks out the repo. Without an actions/checkout step, the build will run in an empty workspace and is likely to fail (or build the wrong context). Add a checkout step before the Docker steps.
            - name: Authenticate to container registry
              uses: docker/login-action@v4.3.0
              with:
                password: ${{secrets.GITHUB_TOKEN}}
                registry: ${{env.REGISTRY}}

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

fi

- name: Ensure No Warnings
uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock "${ARGS[@]}" | tee /tmp/prek.log
Comment on lines +281 to +296
if: |
always()
&& needs.mypy.result =='success'
&& (
needs.pre-commit-PUSH.result == 'success'
|| needs.pre-commit-PULL_REQUEST.result == 'success'
)
&& needs.pytest.result == 'success'
&& needs.ruff-lint.result == 'success'
&& needs.uv-check.result == 'success'
&& (
github.event_name != 'pull_request'
|| github.event.pull_request.head.repo.full_name == 'CSSUoB/TeX-Bot-Py-V2'
)
name: Build and publish Docker image
needs: [mypy, pre-commit-PUSH, pre-commit-PULL_REQUEST, pytest, ruff-lint, uv-check]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

deployment Changes to the deployment or CI/CD configuration

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants