Skip to content

Upgrade zizmor to the latest version in CI #15300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AlexWaygood merged 1 commit into from
Jan 6, 2025
Merged

Upgrade zizmor to the latest version in CI #15300

AlexWaygood merged 1 commit into from
Jan 6, 2025

Conversation

@AlexWaygood
Copy link
Member

@AlexWaygood AlexWaygood commented Jan 6, 2025

Summary

This PR upgrades zizmor to the latest release in our CI. zizmor is a static analyzer checking for security issues in GitHub workflows. The new release finds some new issues in our workflows; this PR fixes some of the issues, and adds ignores for some other issues.

The issues fixed in this PR are new cases of zizmor's template-injection rule being emitted. The issues I'm ignoring for now are all to do with the cache-poisoning rule. The main reason I'm fixing some but ignoring others is that I'm confident fixing the template-injection diagnostics won't have any impact on how our workflows operate in CI, but I'm worried that fixing the cache-poisoning diagnostics could slow down our CI a fair bit. I don't mind if somebody else is motivated to try to fix these diagnostics, but for now I think I'd prefer to just ignore them; it doesn't seem high-priority enough to try to fix them right now :-)

Test Plan

  • uvx pre-commit run -a --hook-stage=manual passes locally
  • Let's see if CI passes on this PR...

@AlexWaygood AlexWaygood added the ci Related to internal CI tooling label Jan 6, 2025
@AlexWaygood AlexWaygood marked this pull request as ready for review January 6, 2025 13:30
@AlexWaygood AlexWaygood merged commit d45c1ee into main Jan 6, 2025
26 checks passed
@AlexWaygood AlexWaygood deleted the alex/upgrade-zizmor branch January 6, 2025 15:07
dcreager added a commit that referenced this pull request Jan 7, 2025
@dcreager
Merge branch 'main' into dcreager/class-match
5ff8f0d 
* main:
  Use uv consistently throughout the documentation (#15302)
  [red-knot] Eagerly normalize `type[]` types (#15272)
  [`pyupgrade`] Split `UP007` to two individual rules for `Union` and `Optional` (`UP007`, `UP045`) (#15313)
  [red-knot] Improve symbol-lookup tracing (#14907)
  [red-knot] improve type shrinking coverage in red-knot property tests (#15297)
  [`flake8-return`] Recognize functions returning `Never` as non-returning (`RET503`) (#15298)
  [`flake8-bugbear`] Implement `class-as-data-structure` (`B903`) (#9601)
  Avoid treating newline-separated sections as sub-sections (#15311)
  Remove call when removing final argument from `format` (#15309)
  Don't enforce `object-without-hash-method` in stubs (#15310)
  Don't special-case class instances in binary expression inference (#15161)
  Upgrade zizmor to the latest version in CI (#15300)
AlexWaygood added a commit that referenced this pull request Jan 8, 2025
@AlexWaygood
fix invalid syntax in workflow file
ae682ec 
re-reading #15300, it had a typo in it
@AlexWaygood AlexWaygood mentioned this pull request Jan 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@charliermarsh charliermarsh charliermarsh approved these changes

@dhruvmanila dhruvmanila Awaiting requested review from dhruvmanila

Assignees

No one assigned

Labels

ci Related to internal CI tooling

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@AlexWaygood @charliermarsh