From 447accbdd94d24f8c4671e0bbfbe9d449a798309 Mon Sep 17 00:00:00 2001
From: James Crocker <87319125+jamesc-grafana@users.noreply.github.com>
Date: Tue, 6 May 2025 17:26:31 +0100
Subject: [PATCH 1/2] update zizmor to run offline (needs version bump)

---
 .github/workflows/self-zizmor.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml
index 9c3fe45..5f0452f 100644
--- a/.github/workflows/self-zizmor.yaml
+++ b/.github/workflows/self-zizmor.yaml
@@ -82,3 +82,4 @@ jobs:
       min-severity: high
       min-confidence: low
       github-token: ${{ needs.get-github-token.outputs.token }}
+      extra-args: --offline

From 6f62de697c6d46a6b13c22e3b07b14c1f216acd5 Mon Sep 17 00:00:00 2001
From: James Crocker <87319125+jamesc-grafana@users.noreply.github.com>
Date: Wed, 7 May 2025 16:08:22 +0100
Subject: [PATCH 2/2] remove token job and enable offline mode

---
 .github/workflows/self-zizmor.yaml | 39 ++----------------------------
 1 file changed, 2 insertions(+), 37 deletions(-)

diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml
index 5f0452f..d29fe4a 100644
--- a/.github/workflows/self-zizmor.yaml
+++ b/.github/workflows/self-zizmor.yaml
@@ -27,59 +27,24 @@ jobs:
               FOUND_FILES=true
           fi
           echo "found-files=${FOUND_FILES}" >> $GITHUB_OUTPUT
-  get-github-token:
-    name: Get GitHub Token
-    runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}
-    outputs:
-      token: ${{ steps.set-output.outputs.token }}
-    permissions:
-      id-token: write
-    steps:
-      - id: get-secrets
-        uses: grafana/shared-workflows/actions/get-vault-secrets@get-vault-secrets-v1.2.0
-        continue-on-error: true # Will fail for external repos
-        with:
-          # Secrets placed in the ci/common/<path> path in Vault
-          common_secrets: |
-            ZIZMOR_APP_ID=zizmor:app-id
-            ZIZMOR_PRIVATE_KEY=zizmor:private-key
-      - name: Get GitHub Token
-        id: get-github-token
-        uses: actions/create-github-app-token@v2
-        continue-on-error: true
-        if: ${{ env.ZIZMOR_APP_ID != '' }}
-        with:
-          app-id: ${{ env.ZIZMOR_APP_ID }}
-          private-key: ${{ env.ZIZMOR_PRIVATE_KEY }}
-          owner: ${{ github.repository_owner }}
-
-      - name: Set Output
-        id: set-output
-        shell: bash
-        env:
-          TOKEN: ${{ steps.get-github-token.outputs.token || github.token}}
-        run: |
-          echo "token=${TOKEN}" >> $GITHUB_OUTPUT
   zizmor:
     name: Run zizmor from current branch (self test)
 
     permissions:
       actions: read
       contents: read
-
+      id-token: write
       pull-requests: write
       security-events: write
 
     needs:
       - zizmor-check
-      - get-github-token
     if: ${{ needs.zizmor-check.outputs.found-files == 'true' }}
 
-    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@b502a15952bab7f72daa1f8ce115491a6d97be59
+    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@8ce69f8316247b9c75380ddb1f69df42d6d3a913
     with:
       runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}
       fail-severity: never
       min-severity: high
       min-confidence: low
-      github-token: ${{ needs.get-github-token.outputs.token }}
       extra-args: --offline