feat: add zizmor for GitHub Actions security#798
Open
henryiii wants to merge 1 commit into
Open
Conversation
Add zizmor (GitHub Actions static analysis) across the three concerns: - repo-review: new GH106 check (uses the zizmor pre-commit hook or the zizmor-action), with tests and regenerated README. - guide: new "Linting your workflows" section in gha_basic.md; the page is now bumped by the pc_bump nox session. - cookiecutter: add the zizmor pre-commit hook and a .github/zizmor.yml (GitHub-CI projects only) that relaxes unpinned-uses to ref-pin so the template stays maintainable via Dependabot. The generated workflows are made zizmor-clean (top-level permissions, persist-credentials: false, enable-cache: false on the wheel build). GH106 is ignored for this repo's own workflows for now. Assisted-by: ClaudeCode:claude-opus-4.8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🤖 AI text below 🤖
Adds zizmor (GitHub Actions static analysis) across the three concerns of this repo.
repo-review
GH106check: passes when the project uses thezizmor-pre-commithook or thezizmorcore/zizmor-actionin a workflow. RequiresGH100. Added tests and regenerated the README check list.Guide
gha_basic.md(with theGH106badge), covering the pre-commit hook,# zizmor: ignore/zizmor.yml, and the GitHub Action.gha_basic.mdis now included in thepc_bumpnox session so the hook rev stays maintained.Cookiecutter template
zizmorpre-commit hook to.pre-commit-config.yaml(GitHub-CI projects only)..github/zizmor.yml(GitHub-CI projects only) that disables theunpinned-usesaudit (sets*: ref-pin), since the template is maintained via Dependabot tags rather than hash pins.permissions: {}+ per-jobcontents: read(excessive-permissions)persist-credentials: falseon all checkouts (artipacked)enable-cache: falseonsetup-uvin the wheel-buildingcd.yml(cache-poisoning on a release workflow)This repo itself
GH106is added to[tool.repo-review.ignore](with a reason, like the existingRTD103) sorepo-review .stays green. Full zizmor adoption for this repo's own 8 workflows (dangerous-triggers,github-app, etc.) is left as a follow-up.Validation
vcs=falseprojects all report "No findings" from zizmor.compare_copierconfirms cookiecutter/copier produce identical files (including the newzizmor.yml).prek -aclean; full test suite passes.📚 Documentation preview 📚: https://scientific-python-cookie--798.org.readthedocs.build/