From 3e563d90d5025ec42719f2d0bdb355563a32577d Mon Sep 17 00:00:00 2001 From: Will Murphy Date: Fri, 16 Jan 2026 10:49:00 -0500 Subject: [PATCH] ci: enable zizmor to fail PRs (#4556) * ci: enable zizmor to fail PRs Enable zizmor (gh actions yaml linter) to fail builds in PRs. Fix any outstanding linting errors found by this tool. Signed-off-by: Will Murphy * fix outdated version comments Signed-off-by: Will Murphy --------- Signed-off-by: Will Murphy --- .github/dependabot.yml | 4 ++++ .github/workflows/codeql-analysis.yml | 6 +++--- .github/workflows/validate-github-actions.yaml | 5 +++-- .github/zizmor.yml | 8 ++++---- 4 files changed, 14 insertions(+), 9 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 4d2e05c22..e63a7ff01 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -15,6 +15,8 @@ updates: - package-ecosystem: gomod directory: "/" + cooldown: + default-days: 7 schedule: interval: "weekly" day: "friday" @@ -34,6 +36,8 @@ updates: directories: - "/" - "/.github/actions/bootstrap" + cooldown: + default-days: 7 schedule: interval: "weekly" day: "friday" diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 301266c7c..8acba4393 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -47,7 +47,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 #v3.29.5 + uses: github/codeql-action/init@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -58,7 +58,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 #v3.29.5 + uses: github/codeql-action/autobuild@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 # ℹī¸ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -72,4 +72,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 #v3.29.5 + uses: github/codeql-action/analyze@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9 diff --git a/.github/workflows/validate-github-actions.yaml b/.github/workflows/validate-github-actions.yaml index dd9fd42f7..d6169af1f 100644 --- a/.github/workflows/validate-github-actions.yaml +++ b/.github/workflows/validate-github-actions.yaml @@ -30,6 +30,7 @@ jobs: - name: "Run zizmor" uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0 with: - config-file: .github/zizmor.yml - sarif-upload: true + config: .github/zizmor.yml + # Disable SARIF upload so the step is a simple pass/fail gate + advanced-security: false inputs: .github diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 5e92012af..9002617dd 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,9 +1,9 @@ rules: unpinned-uses: - ignore: - # Allow unpinned uses of trusted internal anchore/workflows actions - - update-anchore-dependencies.yml - + config: + policies: + # anchore/workflows is an internal repository; using @main is acceptable + anchore/*: any dangerous-triggers: ignore: # Safe use of pull_request_target - only runs trusted scripts from base repo,