Conversation
sebhmg
changed the title
There was a problem hiding this comment.
Pull request overview
Updates the Zizmor configuration setup used by the repository’s reusable Zizmor workflows by bumping the referenced setup-zizmor-config action to v3 and changing the action implementation to patch/merge required rules into zizmor.yml.
Changes:
- Bump
setup-zizmor-configaction reference fromv2tov3across the reusable Zizmor workflows. - Update the composite action to create a minimal
zizmor.ymlwhen missing and then patch in requireddependabot-cooldownandunpinned-usespolicy configuration viayq.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| .github/workflows/reusable-zizmor-security.yml | Updates the referenced Zizmor config setup action to v3. |
| .github/workflows/reusable-zizmor-annotate.yml | Updates the referenced Zizmor config setup action to v3. |
| .github/workflows/reusable-zizmor-advanced-security.yml | Updates the referenced Zizmor config setup action to v3. |
| .github/actions/setup-zizmor-config/action.yml | Changes config generation to a patch/merge approach using yq to enforce specific rules/policies. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # Patch (merge) with extra config | ||
| echo "Patching zizmor.yml configuration file for CI..." | ||
| yq -i ' | ||
| .rules |= (. // {}) | | ||
| .rules."dependabot-cooldown" |= (. // {}) | | ||
| .rules."dependabot-cooldown".disable |= true | | ||
| .rules."unpinned-uses" |= (. // {}) | | ||
| .rules."unpinned-uses".config |= (. // {}) | | ||
| .rules."unpinned-uses".config.policies |= (. // {}) | | ||
| .rules."unpinned-uses".config.policies."MiraGeoscience/*" |= "ref-pin" | ||
| ' zizmor.yml |
There was a problem hiding this comment.
This composite action now depends on yq, but nothing here ensures yq is installed or that it’s the v4 CLI that supports this expression syntax. On GitHub runners this is not guaranteed and can cause the workflow to fail with yq: command not found or incompatible syntax. Consider installing/pinning mikefarah/yq (v4) in this action (or guarding with a clear error + install fallback) before calling yq -i.
| EOF | ||
| else | ||
| echo "⊘ Found existing zizmor.yml configuration file" | ||
| echo $'rules:\n' > zizmor.yml |
There was a problem hiding this comment.
Using echo $'rules:\n' > zizmor.yml is bash-specific and echo behavior can vary; printf is more predictable for emitting YAML content (and avoids relying on ANSI-C quoting). Consider switching to printf 'rules:\n' > zizmor.yml.
| echo $'rules:\n' > zizmor.yml | |
| printf 'rules:\n' > zizmor.yml |
| # Patch (merge) with extra config | ||
| echo "Patching zizmor.yml configuration file for CI..." | ||
| yq -i ' |
There was a problem hiding this comment.
This action now always patches/merges additional rules into zizmor.yml, even when the file already exists. The action metadata still says it only “Creates a default zizmor.yml if one does not exist”, which is now incomplete and may confuse consumers; please update the action description (and/or step name) to reflect the patching behavior.
DEVOPS-977: setup zizmor config patch