Skip to content

fix(ci): run zizmor via uvx#2162

Merged
Pouyanpi merged 1 commit into
developfrom
pouyanpi/ci-fix-zizmore-action
Jul 10, 2026
Merged

fix(ci): run zizmor via uvx#2162
Pouyanpi merged 1 commit into
developfrom
pouyanpi/ci-fix-zizmore-action

Conversation

@Pouyanpi

@Pouyanpi Pouyanpi commented Jul 10, 2026

Copy link
Copy Markdown
Collaborator

Summary

Run zizmor through its documented PyPI integration with a workflow-level version variable instead of the blocked zizmorcore/zizmor-action.

Reason

The repository's inherited GitHub Actions policy allows GitHub-owned and verified-creator actions. Because zizmorcore is not verified, the security workflow stops with startup_failure before creating a job or log. Running the same pinned zizmor version through uvx avoids the blocked action while preserving online audits.

Revert condition

Revert to the SHA-pinned zizmorcore/zizmor-action when the inherited Actions policy explicitly permits it or zizmorcore becomes a verified GitHub organization.

Verification

  • uv run --locked pre-commit run --files .github/workflows/zizmor.yml PR.md

Summary by CodeRabbit

  • Chores
    • Updated the security workflow to run a pinned Zizmor version directly.
    • Standardized workflow setup and reporting while preserving GitHub token-based auditing.

Signed-off-by: Pouyanpi <13303554+Pouyanpi@users.noreply.github.com>
@Pouyanpi Pouyanpi added the CI label Jul 10, 2026
@Pouyanpi Pouyanpi self-assigned this Jul 10, 2026
@github-actions github-actions Bot added status: needs triage New issues that have not yet been reviewed or categorized. size: S labels Jul 10, 2026
@Pouyanpi Pouyanpi added status: triaged Triaged by a maintainer; eligible for automated review (CodeRabbit/Greptile). and removed status: needs triage New issues that have not yet been reviewed or categorized. labels Jul 10, 2026
@greptile-apps

greptile-apps Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR replaces the blocked zizmorcore/zizmor-action GitHub Action with a direct uvx invocation of zizmor, working around the repository's verified-creator Actions policy that prevents zizmorcore/zizmor-action from running.

  • Adds a workflow-level ZIZMOR_VERSION: "1.26.1" variable to keep the pinned version in one place, then wires it into uvx "zizmor@${ZIZMOR_VERSION}" --format=github ..
  • Introduces a setup-uv step using the existing local composite action (.github/actions/setup-uv), which is already SHA-pinned to astral-sh/setup-uv.
  • Online audits are preserved by exposing GH_TOKEN: ${{ github.token }} as an environment variable, which zizmor recognises for GitHub API calls.

Confidence Score: 5/5

Safe to merge. The change is a narrow, self-contained swap of one CI step for an equivalent uvx invocation with no effect on production code.

The local setup-uv composite action exists and is SHA-pinned. The uvx zizmor@${ZIZMOR_VERSION} syntax correctly pins to 1.26.1, --format=github preserves annotation output, and GH_TOKEN satisfies zizmor's online-audit authentication requirement. Permissions are unchanged at contents: read.

No files require special attention.

Important Files Changed

Filename Overview
.github/workflows/zizmor.yml Replaces zizmorcore/zizmor-action with uvx invocation; version is pinned, format and token handling are correct, and the local setup-uv composite action exists and is SHA-pinned.

Sequence Diagram

%%{init: {'theme': 'neutral'}}%%
sequenceDiagram
    participant GH as GitHub Actions runner
    participant UV as setup-uv (astral-sh/setup-uv)
    participant UVX as uvx
    participant ZIZ as zizmor 1.26.1
    participant GHAPI as GitHub API

    GH->>UV: Install uv (SHA-pinned composite action)
    UV-->>GH: uv ready, cache restored

    GH->>UVX: "uvx "zizmor@1.26.1" --format=github ."
    UVX->>ZIZ: "Download & run zizmor (pinned version)"
    ZIZ->>GHAPI: Online audit calls (GH_TOKEN env var)
    GHAPI-->>ZIZ: API responses
    ZIZ-->>GH: "Emit GitHub Actions annotations (--format=github)"
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
sequenceDiagram
    participant GH as GitHub Actions runner
    participant UV as setup-uv (astral-sh/setup-uv)
    participant UVX as uvx
    participant ZIZ as zizmor 1.26.1
    participant GHAPI as GitHub API

    GH->>UV: Install uv (SHA-pinned composite action)
    UV-->>GH: uv ready, cache restored

    GH->>UVX: "uvx "zizmor@1.26.1" --format=github ."
    UVX->>ZIZ: "Download & run zizmor (pinned version)"
    ZIZ->>GHAPI: Online audit calls (GH_TOKEN env var)
    GHAPI-->>ZIZ: API responses
    ZIZ-->>GH: "Emit GitHub Actions annotations (--format=github)"
Loading

Reviews (1): Last reviewed commit: "fix(ci): run zizmor via uvx" | Re-trigger Greptile

@coderabbitai

coderabbitai Bot commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 15b349ed-b189-49df-997b-1f31ac416574

📥 Commits

Reviewing files that changed from the base of the PR and between 96b5f37 and eb03232.

📒 Files selected for processing (1)
  • .github/workflows/zizmor.yml

📝 Walkthrough

Walkthrough

The Zizmor workflow now pins version 1.26.1 and runs Zizmor through uvx after setting up uv, passing the GitHub token through GH_TOKEN.

Changes

Zizmor workflow execution

Layer / File(s) Summary
Pinned uvx execution
.github/workflows/zizmor.yml
Defines ZIZMOR_VERSION, sets up uv, and replaces the Zizmor action with a direct uvx invocation using GitHub formatting and GH_TOKEN authentication.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Test Results For Major Changes ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main CI change: switching Zizmor to run via uvx.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pouyanpi/ci-fix-zizmore-action

Comment @coderabbitai help to get the list of available commands.

@Pouyanpi
Pouyanpi merged commit 816a3b1 into develop Jul 10, 2026
19 checks passed
@Pouyanpi
Pouyanpi deleted the pouyanpi/ci-fix-zizmore-action branch July 10, 2026 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CI size: S status: triaged Triaged by a maintainer; eligible for automated review (CodeRabbit/Greptile).

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant