Skip to content

Address some Zizmor lints#22817

Open
BenjaminBrienen wants to merge 4 commits intobevyengine:mainfrom
BenjaminBrienen:zizmor
Open

Address some Zizmor lints#22817
BenjaminBrienen wants to merge 4 commits intobevyengine:mainfrom
BenjaminBrienen:zizmor

Conversation

@BenjaminBrienen
Copy link
Contributor

@BenjaminBrienen BenjaminBrienen commented Feb 5, 2026

Objective

Minimize security issues
Real issues don't get drowned out from fixable small issues

Solution

Apply recommended fixes such as passing secrets explicitly.
Ignore a lint in 2 workflows because it is necessary.

Testing

Ran Zizmor locally

 techn0@IO  ~/source/bevy   main ±  zizmor . --fix=all
🌈 zizmor v1.22.0
 INFO audit: zizmor: 🌈 completed ./.github/actions/install-linux-deps/action.yml
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/action-on-PR-labeled.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci-comment-failures.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/dependencies.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/docs.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/example-run-report.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/example-run.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/post-release.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/security-static-analysis.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/send-screenshots-to-pixeleagle.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/update-caches.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/validation-jobs.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/weekly.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/welcome.yml
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> ./.github/workflows/ci-comment-failures.yml:6:1
   |
 6 | / on:
 7 | |   workflow_run:
 8 | |     workflows: ["CI"]
 9 | |     types:
10 | |       - completed
   | |_________________^ workflow_run is almost always used insecurely
   |
   = note: audit confidence → Medium

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> ./.github/workflows/example-run-report.yml:10:1
   |
10 | / on:
11 | |   workflow_run:
12 | |     workflows: ["Example Run"]
13 | |     types:
14 | |       - completed
   | |_________________^ workflow_run is almost always used insecurely
   |
   = note: audit confidence → Medium

121 findings (2 ignored, 117 suppressed): 0 informational, 0 low, 0 medium, 2 high

@BenjaminBrienen
Copy link
Contributor Author

BenjaminBrienen commented Feb 5, 2026

I think ci-comment-failures could be called by CI and example-run-report can be called by example-run

mockersf
mockersf reviewed Feb 5, 2026
View reviewed changes
zizmor.yaml Outdated
Copy link
Member

@mockersf mockersf Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would prefer to not have this file

Copy link
Contributor Author

@BenjaminBrienen BenjaminBrienen Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is that better now?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mockersf mockersf mockersf left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BenjaminBrienen @mockersf