fix(ci): replace pip install with native zizmor binary

jdalton · jdalton · commit dddf96463899 · 2026-04-08T12:05:03.000-04:00
Replace `pip install zizmor==1.23.1` with a direct download of the
zizmor native binary from GitHub releases. The binary is verified
against a SHA-256 checksum before use.

This removes the Python/pip dependency entirely. zizmor is a Rust
binary that ships standalone builds for all platforms (Linux, macOS,
Windows) with no runtime dependencies.

Also switches from secrets.GITHUB_TOKEN to github.token to avoid
a zizmor secrets-outside-env warning.
diff --git a/.github/workflows/audit-gha-workflows.yml b/.github/workflows/audit-gha-workflows.yml
@@ -16,10 +16,46 @@ jobs:
         with:
           persist-credentials: false
       - name: Install zizmor
-        run: pip install zizmor==1.23.1
+        shell: bash
+        run: | # zizmor: ignore[github-env]
+          ZIZMOR_VERSION="1.23.1"
+          ZIZMOR_DIR="${RUNNER_TEMP:-/tmp}/zizmor-bin"
+          KERNEL="$(uname -s | cut -d- -f1)"
+          ARCH="$(uname -m)"
+          case "${KERNEL}-${ARCH}" in
+            Linux-x86_64)                      ASSET="zizmor-x86_64-unknown-linux-gnu.tar.gz"  ; EXPECTED_SHA256="67a8df0a14352dd81882e14876653d097b99b0f4f6b6fe798edc0320cff27aff" ;;
+            Linux-aarch64)                     ASSET="zizmor-aarch64-unknown-linux-gnu.tar.gz"  ; EXPECTED_SHA256="3725d7cd7102e4d70827186389f7d5930b6878232930d0a3eb058d7e5b47e658" ;;
+            Darwin-x86_64)                     ASSET="zizmor-x86_64-apple-darwin.tar.gz"        ; EXPECTED_SHA256="89d5ed42081dd9d0433a10b7545fac42b35f1f030885c278b9712b32c66f2597" ;;
+            Darwin-arm64)                      ASSET="zizmor-aarch64-apple-darwin.tar.gz"       ; EXPECTED_SHA256="2632561b974c69f952258c1ab4b7432d5c7f92e555704155c3ac28a2910bd717" ;;
+            MINGW64_NT-x86_64|MSYS_NT-x86_64) ASSET="zizmor-x86_64-pc-windows-msvc.zip"       ; EXPECTED_SHA256="33c2293ff02834720dd7cd8b47348aafb2e95a19bdc993c0ecaca9c804ade92a" ;;
+            *) echo "Unsupported platform: ${KERNEL}-${ARCH}" >&2; exit 1 ;;
+          esac
+          ZIZMOR_BIN="$ZIZMOR_DIR/zizmor"
+          [[ "$ASSET" == *.zip ]] && ZIZMOR_BIN="$ZIZMOR_DIR/zizmor.exe"
+          if [ ! -x "$ZIZMOR_BIN" ]; then
+            mkdir -p "$ZIZMOR_DIR"
+            DOWNLOAD_URL="https://github.com/woodruffw/zizmor/releases/download/v${ZIZMOR_VERSION}/${ASSET}"
+            DOWNLOAD_FILE="${ZIZMOR_DIR}/${ASSET}"
+            curl -fsSL -o "$DOWNLOAD_FILE" "$DOWNLOAD_URL"
+            ACTUAL_SHA256="$(shasum -a 256 "$DOWNLOAD_FILE" | cut -d' ' -f1)"
+            if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
+              echo "Checksum mismatch for ${ASSET}!" >&2
+              echo "  Expected: ${EXPECTED_SHA256}" >&2
+              echo "  Actual:   ${ACTUAL_SHA256}" >&2
+              exit 1
+            fi
+            if [[ "$ASSET" == *.zip ]]; then
+              unzip -qo "$DOWNLOAD_FILE" -d "$ZIZMOR_DIR"
+            else
+              tar xzf "$DOWNLOAD_FILE" -C "$ZIZMOR_DIR"
+            fi
+            rm -f "$DOWNLOAD_FILE"
+            chmod +x "$ZIZMOR_BIN"
+          fi
+          echo "$ZIZMOR_DIR" >> "${GITHUB_PATH:-/dev/null}"
       - name: Run zizmor
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           if [ -d .github ]; then
             zizmor .github --gh-token "${GITHUB_TOKEN}" --min-severity medium
