Skip to content

Resolve zizmor --pedantic findings and add report-only pedantic audit#62

Merged
djacu merged 3 commits into
mainfrom
harden/pedantic-cleanup
Jul 7, 2026
Merged

Resolve zizmor --pedantic findings and add report-only pedantic audit#62
djacu merged 3 commits into
mainfrom
harden/pedantic-cleanup

Conversation

@djacu

@djacu djacu commented Jul 7, 2026

Copy link
Copy Markdown
Member

What

Makes the workflows clean under zizmor --pedantic (21 findings → 0) and adds a report-only pedantic audit. Three commits:

  1. Zero-behavior-change fixes:
    • excessive-permissions: moved the workflow-level permissions in netlify-deploy.yml and release-npm-package.yaml down to their single job — identical effective permissions (the caller still sets the ceiling).
    • undocumented-permissions: added an explanatory comment to every write permission.
    • anonymous-definition: gave every job a name:.
  2. Concurrency (the one behavior change): added a concurrency group to release-guide.yml, netlify-deploy.yml, and release-npm-package.yaml with cancel-in-progress: false — overlapping runs queue rather than interrupting an in-progress release/deploy/publish. (check.yml already had concurrency.)
  3. Report-only pedantic audit: new .github/workflows/zizmor.yml (modeled on NixOS/infra) running zizmor --pedantic --format sarifcodeql-action/upload-sarif. SARIF mode exits 0, so it is non-blocking — pedantic findings appear as PR annotations and in the Security tab. The blocking gate stays the regular-persona run in check.yml (from Add workflow-security CI gate (zizmor + pinact) and Dependabot cooldown #61).

Design

A required gate should block on high-confidence findings and report opinionated ones:

  • check.yml (regular persona) blocks on real issues — unchanged.
  • zizmor.yml (pedantic) reports the opinionated smells without blocking, so a legitimate change isn't stopped by an opinion.

Verification

  • zizmor --pedantic .github/: 0 findings (was 21)
  • zizmor .github/ (regular gate): 0 findings
  • pinact run --check: clean (incl. the new upload-sarif pin)
  • actionlint: clean
  • The pedantic SARIF run produces valid SARIF with 0 findings (a clean baseline)

Notes

  • zizmor comes from the flake's pinned nixpkgs (.#zizmor, 1.18.0). infra runs a newer zizmor via a nixpkgs-unstable input; adding that later would modernize the audit set (and start reporting dependabot-cooldown).
  • SARIF upload needs security-events: write, which fork PRs don't get — so the upload step won't run on fork PRs (same limitation as infra). It's non-blocking, so that's cosmetic.
  • The report only catches regressions if the Security tab is reviewed; real regressions remain hard-blocked by check.yml.

djacu added 3 commits July 6, 2026 18:03
Address the zero-behavior-change pedantic findings:
- Move the workflow-level permissions in netlify-deploy.yml and
  release-npm-package.yaml down to their single job (excessive-permissions);
  identical effective permissions, since the caller still sets the ceiling.
- Add an explanatory comment to every write permission (undocumented-permissions).
- Give every job a name (anonymous-definition).

Takes zizmor --pedantic from 21 findings to 3 (only concurrency-limits, which
is handled in a separate commit).
Add a concurrency group to release-guide.yml, netlify-deploy.yml, and
release-npm-package.yaml with cancel-in-progress: false, so overlapping runs
queue rather than interrupt an in-progress release, deploy, or publish
(zizmor concurrency-limits). check.yml already had concurrency.

With this, zizmor --pedantic reports 0 findings.
Add .github/workflows/zizmor.yml (modeled on NixOS/infra) that runs
zizmor --pedantic --format sarif and uploads the result to code scanning.
SARIF mode exits 0, so it is report-only: pedantic findings surface as PR
annotations and in the Security tab for triage, while the blocking gate
remains the regular-persona run in check.yml.

Runs on PRs and pushes to main that touch .github/** or flake.lock. zizmor
comes from the flake's pinned nixpkgs (.#zizmor); upload-sarif is SHA-pinned.
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Artifact comparison

0 modified · 0 added · 0 deleted · 96 unchanged

Download report — HTML file; open in a browser.

Compared
  • Base: 0227c7a973852e53761a53a191845c0e5adfe2bf (current main tip when this ran)
  • After: 1140e4911efb1832378ea981e52d108c9ba7d794 (merge commit; falls back to PR head if unmergeable)

@djacu djacu merged commit 9f328c5 into main Jul 7, 2026
8 checks passed
@djacu djacu deleted the harden/pedantic-cleanup branch July 7, 2026 01:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants