ci: zizmor workflow#13901
Conversation
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 | ||
| uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 |
There was a problem hiding this comment.
Pull request overview
This PR introduces a dedicated zizmor GitHub Actions workflow for workflow security linting, and aligns existing workflows with tighter permission defaults and clearer action pin annotations. It also enables Dependabot updates for GitHub Actions.
Changes:
- Add
.github/workflows/zizmor.ymlto run zizmor and upload security findings (SARIF). - Harden/standardize workflow permissions (e.g., explicit
permissions: {}/contents: read) and adjust ordering. - Enable Dependabot updates for
github-actionsand refresh pinned-action version comments.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/zizmor.yml |
Adds zizmor reusable-workflow invocation and SARIF upload permissions. |
.github/workflows/stale.yml |
Cleans up header comments and updates pinned-action version annotation. |
.github/workflows/scorecards.yml |
Sets explicit empty top-level permissions and updates pinned-action version annotations. |
.github/workflows/pr-review.yml |
Reorders permissions/on blocks and adjusts zizmor trigger linting ignore. |
.github/workflows/pr-review-trigger.yml |
Reorders the on: block without changing behavior. |
.github/workflows/merge.yml |
Moves top-level permissions earlier for clarity/consistency. |
.github/workflows/docs-upstream.yml |
Removes redundant permission explanation comments; updates pinned-action version annotations. |
.github/workflows/ci.yml |
Moves top-level permissions earlier; updates pinned-action version annotations. |
.github/dependabot.yml |
Adds Dependabot updates for github-actions. |
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
This PR introduces the zizmor security scanning workflow and fixes zizmor findings across existing CI workflows. Most changes are safe reorganizations (moving permissions: blocks, adding version comments, updating dependabot config). However, two issues in .github/workflows/pr-review.yml appear to be functional regressions introduced by this PR.
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR makes CI workflow hardening changes as flagged by zizmor:
- Permissions block placement: Moves top-level
permissions:blocks to appear beforeon:inci.yml,merge.yml, andpr-review.yml— this is the zizmor-preferred ordering and has no functional impact. - Version comment precision: Updates action version comments from short form (e.g.,
# v6) to full semver (e.g.,# v6.0.2) — all SHAs remain unchanged, so no actual action version changes. - scorecards.yml: Adds
permissions: {}at the workflow level; the job-level permissions (security-events: write,id-token: write) remain intact and are sufficient. - zizmor.yml (new): Delegates to
crazy-max/.githubreusable workflow pinned by SHA (46267a6e61cd56aac2fc79943df180152f4c89d6) withmin-severity: medium,min-confidence: medium, andpersona: pedantic. Permissions are correctly scoped (contents: read,security-events: write). - dependabot.yml: Adds
github-actionsecosystem with a 7-day cooldown — straightforward and correct. - Miscellaneous: Removes trailing whitespace/blank lines, removes verbose comment blocks that were redundant given the code.
No bugs or regressions introduced. All changes are mechanical improvements to workflow hygiene.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
similar to moby/buildkit#6623