feat: uv ecosystem, grouped PRs, Zizmor security analysis, and README#5
Merged
feat: uv ecosystem, grouped PRs, Zizmor security analysis, and README#5
Conversation
- Add dependabot/uv/* branch pattern alongside dependabot/pip/* - Parse individual packages from grouped PR body for security links - Add python label for uv ecosystem PRs - Rewrite README with full usage instructions, prerequisites, and how-it-works guide
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
j7an
changed the title
Fixes zizmor/ref-version-mismatch — version comments like `# v4` now show the exact tag `# v4.2.2` that the pinned SHA corresponds to. Updated across all workflow files: - actions/checkout: # v4 → # v4.2.2 - step-security/harden-runner: # v2 → # v2.16.0
j7an
added a commit
that referenced
this pull request
Apr 12, 2026
feat: uv ecosystem, grouped PRs, Zizmor security analysis, and README
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
dependabot/uv/*branch pattern alongsidedependabot/pip/*for Python uv ecosystempythonlabel for uv ecosystem PRsProblem
dependabot/uv/minor-and-patch-*) fell through toEcosystem: Unknownwith no security links because the gate workflow only matcheddependabot/pip/*Zizmor integration
Runs on push to main and PRs. Detects template injection, excessive permissions, known CVEs in pinned action commits, dangerous triggers, and supply chain risks. Pinned to
zizmorcore/zizmor-action@71321a2(v0.5.2) — verified clean against GHSA, OSV, and tag SHA integrity.Test plan
dependabot/uv/*PRs get ecosystem "PyPI" with security linksdependabot/pip/*PRs still workpythonlabel applied for both pip and uv branches