Resolve zizmor --pedantic findings and add report-only pedantic audit#62
Merged
Conversation
Address the zero-behavior-change pedantic findings: - Move the workflow-level permissions in netlify-deploy.yml and release-npm-package.yaml down to their single job (excessive-permissions); identical effective permissions, since the caller still sets the ceiling. - Add an explanatory comment to every write permission (undocumented-permissions). - Give every job a name (anonymous-definition). Takes zizmor --pedantic from 21 findings to 3 (only concurrency-limits, which is handled in a separate commit).
Add a concurrency group to release-guide.yml, netlify-deploy.yml, and release-npm-package.yaml with cancel-in-progress: false, so overlapping runs queue rather than interrupt an in-progress release, deploy, or publish (zizmor concurrency-limits). check.yml already had concurrency. With this, zizmor --pedantic reports 0 findings.
Add .github/workflows/zizmor.yml (modeled on NixOS/infra) that runs zizmor --pedantic --format sarif and uploads the result to code scanning. SARIF mode exits 0, so it is report-only: pedantic findings surface as PR annotations and in the Security tab for triage, while the blocking gate remains the regular-persona run in check.yml. Runs on PRs and pushes to main that touch .github/** or flake.lock. zizmor comes from the flake's pinned nixpkgs (.#zizmor); upload-sarif is SHA-pinned.
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
Artifact comparison0 modified · 0 added · 0 deleted · 96 unchanged Download report — HTML file; open in a browser. Compared
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Makes the workflows clean under
zizmor --pedantic(21 findings → 0) and adds a report-only pedantic audit. Three commits:excessive-permissions: moved the workflow-levelpermissionsinnetlify-deploy.ymlandrelease-npm-package.yamldown to their single job — identical effective permissions (the caller still sets the ceiling).undocumented-permissions: added an explanatory comment to every write permission.anonymous-definition: gave every job aname:.concurrencygroup torelease-guide.yml,netlify-deploy.yml, andrelease-npm-package.yamlwithcancel-in-progress: false— overlapping runs queue rather than interrupting an in-progress release/deploy/publish. (check.ymlalready had concurrency.).github/workflows/zizmor.yml(modeled on NixOS/infra) runningzizmor --pedantic --format sarif→codeql-action/upload-sarif. SARIF mode exits 0, so it is non-blocking — pedantic findings appear as PR annotations and in the Security tab. The blocking gate stays the regular-persona run incheck.yml(from Add workflow-security CI gate (zizmor + pinact) and Dependabot cooldown #61).Design
A required gate should block on high-confidence findings and report opinionated ones:
Verification
zizmor --pedantic .github/: 0 findings (was 21)zizmor .github/(regular gate): 0 findingspinact run --check: clean (incl. the newupload-sarifpin)actionlint: cleanNotes
.#zizmor, 1.18.0). infra runs a newer zizmor via anixpkgs-unstableinput; adding that later would modernize the audit set (and start reportingdependabot-cooldown).security-events: write, which fork PRs don't get — so the upload step won't run on fork PRs (same limitation as infra). It's non-blocking, so that's cosmetic.check.yml.