Skip to content

ci: zizmor workflow#13901

Merged
glours merged 3 commits into
docker:mainfrom
crazy-max:zizmor
Jul 6, 2026
Merged

ci: zizmor workflow#13901
glours merged 3 commits into
docker:mainfrom
crazy-max:zizmor

Conversation

@crazy-max

Copy link
Copy Markdown
Member

similar to moby/buildkit#6623

@crazy-max crazy-max requested review from Copilot and glours July 6, 2026 14:51
@crazy-max crazy-max requested a review from a team as a code owner July 6, 2026 14:51
@crazy-max crazy-max requested a review from ndeloof July 6, 2026 14:51
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will be fixed in #13896

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a dedicated zizmor GitHub Actions workflow for workflow security linting, and aligns existing workflows with tighter permission defaults and clearer action pin annotations. It also enables Dependabot updates for GitHub Actions.

Changes:

  • Add .github/workflows/zizmor.yml to run zizmor and upload security findings (SARIF).
  • Harden/standardize workflow permissions (e.g., explicit permissions: {} / contents: read) and adjust ordering.
  • Enable Dependabot updates for github-actions and refresh pinned-action version comments.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/zizmor.yml Adds zizmor reusable-workflow invocation and SARIF upload permissions.
.github/workflows/stale.yml Cleans up header comments and updates pinned-action version annotation.
.github/workflows/scorecards.yml Sets explicit empty top-level permissions and updates pinned-action version annotations.
.github/workflows/pr-review.yml Reorders permissions/on blocks and adjusts zizmor trigger linting ignore.
.github/workflows/pr-review-trigger.yml Reorders the on: block without changing behavior.
.github/workflows/merge.yml Moves top-level permissions earlier for clarity/consistency.
.github/workflows/docs-upstream.yml Removes redundant permission explanation comments; updates pinned-action version annotations.
.github/workflows/ci.yml Moves top-level permissions earlier; updates pinned-action version annotations.
.github/dependabot.yml Adds Dependabot updates for github-actions.

Comment thread .github/workflows/pr-review.yml
Comment thread .github/workflows/zizmor.yml Outdated
Comment thread .github/workflows/pr-review.yml

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

This PR introduces the zizmor security scanning workflow and fixes zizmor findings across existing CI workflows. Most changes are safe reorganizations (moving permissions: blocks, adding version comments, updating dependabot config). However, two issues in .github/workflows/pr-review.yml appear to be functional regressions introduced by this PR.

Comment thread .github/workflows/pr-review.yml
Comment thread .github/workflows/pr-review.yml
crazy-max added 2 commits July 6, 2026 16:57
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR makes CI workflow hardening changes as flagged by zizmor:

  • Permissions block placement: Moves top-level permissions: blocks to appear before on: in ci.yml, merge.yml, and pr-review.yml — this is the zizmor-preferred ordering and has no functional impact.
  • Version comment precision: Updates action version comments from short form (e.g., # v6) to full semver (e.g., # v6.0.2) — all SHAs remain unchanged, so no actual action version changes.
  • scorecards.yml: Adds permissions: {} at the workflow level; the job-level permissions (security-events: write, id-token: write) remain intact and are sufficient.
  • zizmor.yml (new): Delegates to crazy-max/.github reusable workflow pinned by SHA (46267a6e61cd56aac2fc79943df180152f4c89d6) with min-severity: medium, min-confidence: medium, and persona: pedantic. Permissions are correctly scoped (contents: read, security-events: write).
  • dependabot.yml: Adds github-actions ecosystem with a 7-day cooldown — straightforward and correct.
  • Miscellaneous: Removes trailing whitespace/blank lines, removes verbose comment blocks that were redundant given the code.

No bugs or regressions introduced. All changes are mechanical improvements to workflow hygiene.

@glours glours left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @crazy-max

@glours glours enabled auto-merge (rebase) July 6, 2026 15:06
@glours glours merged commit be7b72e into docker:main Jul 6, 2026
44 of 45 checks passed
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@crazy-max crazy-max deleted the zizmor branch July 6, 2026 15:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants