Add zizmor GitHub workflow linter#798
Open
CarrotManMatt wants to merge 2 commits into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces zizmor as a GitHub Actions/workflow linter (via pre-commit and zizmor.yaml) and applies a set of workflow hardening/cleanup changes consistent with running zizmor in “auditor” mode.
Changes:
- Add zizmor configuration (
zizmor.yaml) and install zizmor as a pre-commit hook. - Update multiple GitHub Actions workflows (concurrency, permissions, checkout credential handling, naming/labels) to address linter guidance.
- Minor documentation/badge casing tweaks in README/CONTRIBUTING.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
zizmor.yaml |
Adds zizmor rule configuration (ignore + ref pin policy). |
README.md |
Normalizes badge label casing. |
CONTRIBUTING.md |
Normalizes “ruff” naming/casing in docs. |
.pre-commit-config.yaml |
Adds zizmor pre-commit hook (auditor persona, autofix enabled). |
.github/workflows/prevent-migrations-deletion.yaml |
Adds concurrency, adjusts permissions placement, tweaks naming/comments. |
.github/workflows/pr-auto-updater.yaml |
Adds concurrency/default permissions reset and refines GitHub App token permissions. |
.github/workflows/check-build-deploy.yaml |
Adds concurrency, refines checkout settings, splits pre-commit behavior by event, and refines publishing gates/metadata. |
.github/workflows/autofix-pre-commit.yaml |
Adds concurrency and refines checkout/shell logic for running pre-commit (prek). |
Comments suppressed due to low confidence (1)
.github/workflows/check-build-deploy.yaml:309
docker/build-push-actionneeds the repository contents (Dockerfile/build context), but this job never checks out the repo. Without anactions/checkoutstep, the build will run in an empty workspace and is likely to fail (or build the wrong context). Add a checkout step before the Docker steps.
- name: Authenticate to container registry
uses: docker/login-action@v4.3.0
with:
password: ${{secrets.GITHUB_TOKEN}}
registry: ${{env.REGISTRY}}
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| fi | ||
|
|
||
| - name: Ensure No Warnings | ||
| uv run -- prek run --all-files --hook-stage manual --color never --skip ruff-check --skip uv-lock "${ARGS[@]}" | tee /tmp/prek.log |
Comment on lines
+281
to
+296
| if: | | ||
| always() | ||
| && needs.mypy.result =='success' | ||
| && ( | ||
| needs.pre-commit-PUSH.result == 'success' | ||
| || needs.pre-commit-PULL_REQUEST.result == 'success' | ||
| ) | ||
| && needs.pytest.result == 'success' | ||
| && needs.ruff-lint.result == 'success' | ||
| && needs.uv-check.result == 'success' | ||
| && ( | ||
| github.event_name != 'pull_request' | ||
| || github.event.pull_request.head.repo.full_name == 'CSSUoB/TeX-Bot-Py-V2' | ||
| ) | ||
| name: Build and publish Docker image | ||
| needs: [mypy, pre-commit-PUSH, pre-commit-PULL_REQUEST, pytest, ruff-lint, uv-check] |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Also resolves suggestion audits by running the tool