Skip to content

chore(ci): address CI lint findings #545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 2, 2025
Merged

chore(ci): address CI lint findings #545

merged 3 commits into from
Sep 2, 2025

Conversation

woodruffw
Copy link
Member

This addresses all of zizmor's non-pedantic findings, and adds a workflow to proactively flag any more that come in.

Key changes:

  • I've hash-pinned all actions references. Dependabot will continue to keep these updated and will update the hash comments as well.
  • I've marked every actions/checkout with persist-credentials: false except for one that actually needs persisted credentials (which I've explicitly enabled with an explanatory comment)
  • I've dropped some workflow-level permissions in favor of job-level permissions that were already provisioned.
  • I fixed two small template injections caused by expanding output contexts. I think these were not exploitable in practice, but fixing them is good for defense in depth (and makes spellcheck work nicely on these steps).

@woodruffw
chore(ci): address CI lint findings
497de92 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw woodruffw requested a review from eifinger as a code owner August 29, 2025 19:48
@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

eifinger
eifinger requested changes Sep 1, 2025
View reviewed changes
Copy link
Collaborator

@eifinger eifinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for adding these changes to this action as well.

A small request on the added workflow.

@woodruffw
ci: move zizmor to test workflow
0cd40b2 
Signed-off-by: William Woodruff <[email protected]>
@woodruffw
Copy link
Member Author

Thanks for the review @eifinger! I've removed the custom workflow for zizmor and moved the action into the lint job 🙂

@woodruffw woodruffw requested a review from eifinger September 2, 2025 13:26
eifinger
eifinger approved these changes Sep 2, 2025
View reviewed changes
Copy link
Collaborator

@eifinger eifinger left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you 🚀

@eifinger eifinger added the ci Pull requests that change the CI workflows label Sep 2, 2025
@eifinger eifinger enabled auto-merge (squash) September 2, 2025 13:28
@eifinger eifinger merged commit b183611 into astral-sh:main Sep 2, 2025
73 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eifinger eifinger eifinger approved these changes

Assignees

No one assigned

Labels

ci Pull requests that change the CI workflows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@woodruffw @eifinger