From b66322836181fea3c70fecf658d224d59fa67425 Mon Sep 17 00:00:00 2001 From: Colin Dean Date: Wed, 1 Jul 2026 11:46:01 -0400 Subject: [PATCH] Migrate zizmor workflow to zizmor/zizmor-action MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit MPD was a very early adopter of zizmor and used the old way of doing it. zizmor-action basically does it like how we were doing it, but… better, and with only one dep to update. --- .github/workflows/zizmor.yml | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 7f62ce6..f494729 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -10,28 +10,16 @@ permissions: {} jobs: zizmor: - name: zizmor latest via PyPI runs-on: ubuntu-latest permissions: security-events: write - contents: read # only needed for private repos - actions: read # only needed for private repos + contents: read # only needed for private or internal repos + actions: read # only needed for private or internal repos steps: - name: Checkout repository - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - - name: Install the latest version of uv - uses: astral-sh/setup-uv@fac544c07dec837d0ccb6301d7b5580bf5edae39 # v8.2.0 - - name: Run zizmor 🌈 - run: uvx zizmor --format=sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2 - with: - sarif_file: results.sarif - category: zizmor + uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7