UX: Poor experience across multiple private repos #1350
Description
See zizmorcore/zizmor-action#55 for an instance of this.
TL;DR: some people use zizmor in private repos, which in turn reference actions/reusable workflows from other private repos. For example, ci.yml in secret-org/secret-repo might reference secret-org/secret-action@v1.
When users do this in CI/CD (e.g. with zizmor-action), they get snarled: by default zizmor-action tries to do online audits, which then fails on 404s because the default secrets.GITHUB_TOKEN doesn't have cross-org private repo access. This results in confusing failures for users where zizmor refuses to continue because it can't access remote resources that it needs to check.
See https://github.com/orgs/community/discussions/46566 for details on that secrets.GITHUB_TOKEN limiation.
Some potential solutions:
- Make zizmor more permissive by default of 404s against remote resources. I'm very hesitant to do this, because IME users ignore warnings about missing resources/failed requests and never go back to confirm that something important wasn't missed.
- Nudge users more heavily towards using PATs in this scenario. I don't love this because (1) PATs are annoying, (2) it requires another layer of special case documentation ("you only need PATs if..."), and (3) users have a tendency to overscope PATs (whereas zizmor only ever needs read-only access).
- Add an opt in CLI flag, something like
--allow-github-api-failures(this is a terrible name). With this users would get a warning instead of a hard error, so (1) but not by default. I'm okay with this I think, but it's going to require a better CLI flag name.
Overall I think (3) is the right path forwards, at least for now. But this is also pretty low-priority at the moment, since this veers towards the enterprise side of the feature spectrum and users can always unblock themselves by running zizmor locally or with a PAT (or entirely offline).