Skip to content

Perf: optimize impostor-commit #1417

New issue
New issue
Open
Feature
Open
Perf: optimize impostor-commit#1417
Feature
Assignees
woodruffw
Labels
performance
@woodruffw

Description

@woodruffw
woodruffw
opened on Dec 8, 2025

impostor-commit is by far the slowest audit, in part because zizmor only uses the official GitHub APIs to determine impostor status (which is incredibly slow, since impostor commits by definition require the worst case search of all branch and tag histories).

There's an alternative, which is to use GitHub's undocumented branch_commits API:

curl -H 'Accept: application/json` https://github.com/:org/:repo/branch_commits/:hash

...yields something like:

{
  "branches": [],
  "tags": []
}

...where both are empty lists if the commit is an impostor.

The main risk with using this endpoint is that it's completely undocumented, and GitHub can probably change it whenever they want. So we'll probably still need to retain the slow path, but we can opportunistically use the undocumented API and fall back if the response schema ever changes from what we expect.

Metadata

Metadata

Assignees

Labels

performance

Type

Feature

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions