Add zizmor #54
Add zizmor #54
Conversation
Scan GitHub Actions workflows with zizmor and fix/suppress findings.
martincostello
added
enhancement
There was a problem hiding this comment.
Pull Request Overview
This PR integrates zizmor, a GitHub Actions workflow security scanner, into the project's CI/CD pipeline and addresses findings from the security analysis. The changes add zizmor scanning to the lint workflow while suppressing specific security warnings where the current configuration is intentionally required.
- Adds zizmor security scanning to the lint workflow with pedantic persona
- Suppresses zizmor findings for intentional security configurations with explanatory comments
- Updates workflow permissions to support zizmor's security scanning capabilities
Reviewed Changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/lint.yml |
Adds zizmor workflow scanning step with required permissions and environment variables |
.github/workflows/release.yml |
Suppresses artipacked warning for persist-credentials with justification comment |
.github/workflows/ossf-scorecard.yml |
Suppresses excessive-permissions warning for OSSF Scorecard recommended permissions |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
Scan GitHub Actions workflows with zizmor and fix/suppress findings.