From 51f0909432b1335d8ac42dcdf2a43463d96ce2a6 Mon Sep 17 00:00:00 2001 From: kreinba Date: Sun, 21 Jun 2026 00:14:15 +0000 Subject: [PATCH 1/2] feat(#571): add zizmor static analysis workflow --- .github/workflows/zizmor.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 000000000..b6036232e --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,25 @@ +# SPDX-FileCopyrightText: Copyright (c) 2016-2026 Objectionary.com +# SPDX-License-Identifier: MIT +--- +# yamllint disable rule:line-length +name: zizmor +'on': + push: + branches: + - master + pull_request: + branches: + - master +permissions: + contents: read +jobs: + zizmor: + timeout-minutes: 15 + runs-on: ubuntu-24.04 + permissions: + security-events: write + contents: read + actions: read + steps: + - uses: actions/checkout@v7 + - uses: zizmorcore/zizmor-action@v0.5.6 From 0214a4d4b0d29fc1984e314549f1072177c164e7 Mon Sep 17 00:00:00 2001 From: kreinba Date: Sun, 21 Jun 2026 00:17:32 +0000 Subject: [PATCH 2/2] chore(#571): allow ref-pin and harden checkout for zizmor --- .github/workflows/zizmor.yml | 2 ++ .github/zizmor.yml | 8 ++++++++ 2 files changed, 10 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index b6036232e..ab8a5deac 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -22,4 +22,6 @@ jobs: actions: read steps: - uses: actions/checkout@v7 + with: + persist-credentials: false - uses: zizmorcore/zizmor-action@v0.5.6 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 000000000..b21c273ea --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,8 @@ +# SPDX-FileCopyrightText: Copyright (c) 2016-2026 Objectionary.com +# SPDX-License-Identifier: MIT +--- +rules: + unpinned-uses: + config: + policies: + "*": ref-pin