gateway: emit with.version for known unpinned-tools actions (unblocks #885)#893
Open
potiuk wants to merge 1 commit into
Open
gateway: emit with.version for known unpinned-tools actions (unblocks #885)#893potiuk wants to merge 1 commit into
potiuk wants to merge 1 commit into
Conversation
potiuk
force-pushed
the
zizmor-unpinned-tools-1password
branch
from
d76dce8 to
d5d3a1a
Compare
`1Password/load-secrets-action` with an inline `# zizmor: ignore[]` comment, but placed it on the `if: false` line. zizmor only honours the ignore on the line where the finding lives — line 40 (the `- uses:` line) — so the suppression never took effect, and #885 (zizmor 0.5.5 → 0.5.6 bump) has been stuck failing CI ever since. Inline placement on the `- uses:` line would also be fragile: it sits next to dependabot's `# v4.0.0` version comment, and dependabot rewrites that comment on every bump. The zizmor docs (configuration guide) also state that "composite action findings cannot be ignored via `zizmor.yml`", so the config-file path is closed. The audit's actual remediation (per its source at crates/zizmor/src/audit/unpinned_tools.rs) is to set a static `with.version` value. The audit fires only when the input is missing or literal `latest`. Setting it to any specific string silences the finding. Since these composite entries are `if: false` (allowlist registration only — they never execute), the version value is cosmetic; only the static analyser cares. This change: - Adds `_unpinned_tool_version_pin()` + `_UNPINNED_TOOLS_VERSION_PINS` in `gateway/gateway.py` so the composite generator emits a `with.version` block for any action zizmor's `unpinned-tools` audit knows about (currently `1password/load-secrets-action` and `aquasecurity/setup-trivy`; the latter is preemptive — we don't carry it on the allowlist today). - Applies the same `with.version` block manually to the existing `1Password/load-secrets-action` entries in the composite. The next full regeneration (post #892's pipeline recovery) will produce identical content; the manual edit only fast-paths the fix so #885 can land immediately. - Drops the no-op `# zizmor: ignore[unpinned-tools]` tail comment #886 added on the `if: false` line — the version pin is now the real suppression mechanism. Local verification: `zizmor --min-severity medium --min-confidence medium .github/ allowlist-check/ pelican/ stash/` now reports "No findings to report. Good job!" (down from 1 medium). Gateway tests still pass (8 passed). Generated-by: Claude Opus 4.7
potiuk
force-pushed
the
zizmor-unpinned-tools-1password
branch
from
d5d3a1a to
3d112b0
Compare
Member
Author
|
Ping @raboof @ppkarwasz @dfoulks1 — this one's blocking #885 (zizmor 0.5.6 bump). Verified locally: zizmor 1.25.2 reports clean on this branch whereas main alone reports 1 medium on the 1Password |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
#886 tried to silence zizmor 1.25.2's new
unpinned-toolsaudit on1Password/load-secrets-actionwith an inline# zizmor: ignore[]comment, but placed it on theif: falseline. zizmor only honours the ignore on the line where the finding lives (line 40 — the- uses:line), so the suppression never took effect, and #885 (zizmor 0.5.5 → 0.5.6) has been stuck failing CI ever since.Why not just move the inline ignore to the right line?
Two reasons:
- uses:line already carries dependabot's# v4.0.0version comment. Dependabot rewrites that comment on every bump and would strip an appended zizmor-ignore tail.zizmor.ymlconfig — the zizmor configuration docs state explicitly: "Composite action findings cannot be ignored viazizmor.ymlcurrently. They can be ignored inline [with comments]."Why pin
with.versioninsteadThe audit's actual remediation (per its source at
crates/zizmor/src/audit/unpinned_tools.rs) is to set a staticwith.versionvalue. The audit fires only when the input is missing or set to literallatest. Setting it to any specific string silences the finding cleanly. Since these composite entries areif: false(allowlist registration only — they never execute), the version value is cosmetic; only the static analyser cares.Changes
gateway/gateway.py— new_unpinned_tool_version_pin()helper +_UNPINNED_TOOLS_VERSION_PINStable so the composite generator emits awith.versionblock for any action zizmor'sunpinned-toolsaudit knows about (1password/load-secrets-actiontoday;aquasecurity/setup-trivypreemptive, even though we don't carry it on the allowlist).with.versionblock to the existing1Password/load-secrets-actionand…/configureentries. The next full regeneration (post hotfix: restore ALLOWLIST_WORKFLOW_TOKEN PAT in update.yml (branch protection) #892's pipeline recovery) will produce identical content; the manual edit only fast-paths the fix so build(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 in /.github/workflows #885 can land immediately.# zizmor: ignore[unpinned-tools]tail comment that allowlist: silence zizmor unpinned-tools on if:false 1Password load-secrets-action #886 added on theif: falseline — the version pin is the real suppression mechanism now.Test plan
zizmor 1.25.2(the version bundled byzizmor-action@v0.5.6):zizmor --min-severity medium --min-confidence medium .github/ allowlist-check/ pelican/ stash/→ "No findings to report. Good job!" (down from 1 medium).uv run pytest gateway/→ 8 passed.with.versioncontent for the 1Password entries (the only differences are unrelated version drift from the still-broken update workflow on main — which hotfix: restore ALLOWLIST_WORKFLOW_TOKEN PAT in update.yml (branch protection) #892 will heal).@dependabot rebase) → expectRun zizmor 🌈to pass clean.🤖 Generated with Claude Code