fix(ci): disable zizmor advanced security to unblock releases

[wochinge]

Summary

• Disables advanced-security for zizmor so it no longer uploads SARIF to GitHub Code Scanning
• Sets min-severity: medium to filter noisy low-severity findings
• Removes now-unnecessary security-events: write permission

Context

The release workflow failed because the branch protection ruleset requires zizmor code scanning results before pushes to main. Since the release creates a new commit locally and pushes it, the commit doesn't exist on GitHub yet — so code scanning can't produce results for it, blocking the push.

With advanced-security: false, zizmor still runs as a regular CI check but doesn't register as a code scanning tool, so the branch protection rule no longer applies.

After merging: remove the zizmor entry from the code scanning requirement in the branch protection ruleset.

Test plan

• Verify zizmor workflow still runs and catches issues on PRs
• Verify release workflow can push to main without being blocked

🤖 Generated with Claude Code

Disclaimer: Experimental PR review

Greptile Summary

This PR unblocks the release workflow by switching zizmor from advanced-security: true to false, preventing SARIF uploads to GitHub Code Scanning and thereby removing the branch protection code scanning requirement from the push path. The security-events: write permission is correctly removed alongside, and min-severity: medium is added to filter low-severity findings.

The stated follow-up action (removing the zizmor entry from the code scanning requirement in the branch protection ruleset) should be completed promptly after merge — leaving the stale ruleset entry in place is harmless but creates confusion about which checks are actually required.

Confidence Score: 5/5

Safe to merge — targeted CI configuration fix with no code changes and a correct permission reduction.

The change is minimal, well-motivated, and correct: disabling SARIF upload removes the blocking code scanning gate, removing security-events: write follows least-privilege, and min-severity: medium is explicitly called out as intentional. No logic errors, no security regressions, no missing edge cases in the diff.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/zizmor.yml	Disables zizmor SARIF upload (advanced-security: false), removes now-unnecessary security-events: write permission, and adds min-severity: medium to suppress low-severity noise.

Sequence Diagram

sequenceDiagram
    participant Dev as Developer / Release Bot
    participant GH as GitHub
    participant ZW as Zizmor Workflow
    participant CS as GitHub Code Scanning

    Note over Dev,CS: Before this PR
    Dev->>GH: Push commit to main
    GH->>ZW: Trigger zizmor workflow
    ZW->>ZW: Run security analysis
    ZW->>CS: Upload SARIF (advanced-security: true)
    CS-->>GH: Code scanning result required
    GH-->>Dev: ❌ Branch protection blocks push (no prior scan for new commit)

    Note over Dev,CS: After this PR
    Dev->>GH: Push commit to main
    GH->>ZW: Trigger zizmor workflow
    ZW->>ZW: Run security analysis (min-severity: medium)
    Note right of ZW: No SARIF upload (advanced-security: false)
    ZW-->>GH: CI check pass/fail only
    GH-->>Dev: ✅ Branch protection only requires CI check (not code scanning)

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): disable zizmor advanced securit..." | Re-trigger Greptile}

[github-actions]

@claude review

[claude]

LGTM — simple CI config fix that removes the permission and disables SARIF upload to unblock the release workflow.

Extended reasoning...

Overview

This PR modifies a single CI workflow file () to disable the advanced-security flag on the zizmor action and add a min-severity: medium filter, while removing the now-unnecessary security-events: write permission.

Security Risks

The change actually reduces the permission surface by removing security-events: write. Zizmor still runs as a CI check and can still fail PRs on medium+ severity findings — it just no longer uploads SARIF results to GitHub Code Scanning. No security risks introduced.

Level of Scrutiny

Low. This is a mechanical CI configuration change with a clear, well-explained rationale. The diff is 3 lines and the intent is unambiguous.

Other Factors

No bugs found. The PR description notes a follow-up action (remove zizmor from code scanning branch protection requirement) which is an out-of-band GitHub UI task, not a code change. The change is consistent with the recent commit 5e47482 on main that made the same fix.

[claude]

LGTM — minimal CI config fix that unblocks releases while keeping zizmor running as a regular check.

Extended reasoning...

Overview

Single-file change to .github/workflows/zizmor.yml: disables SARIF upload (advanced-security: false), removes the now-unnecessary security-events: write permission, and adds min-severity: medium to suppress low-severity noise.

Security Risks

The change reduces permissions (removing security-events: write) rather than adding any. Zizmor still runs and will fail the CI check on findings — it just no longer uploads results to GitHub Code Scanning. No code-execution logic is touched.

Level of Scrutiny

Low — this is a pure CI configuration adjustment with a clear, well-documented motivation (unblocking the release workflow). The change is mechanical and reversible.

Other Factors

No bugs were found. The diff is 7 lines, all in a workflow file. The follow-up action (removing the stale code scanning ruleset entry) is non-blocking and noted in the PR description.