Skip to content

chore(ci): apply security fixes, add zizmor workflow#716

Merged
woodruffw merged 5 commits into
mainfrom
ww/ci-fixes
Aug 1, 2025
Merged

chore(ci): apply security fixes, add zizmor workflow#716
woodruffw merged 5 commits into
mainfrom
ww/ci-fixes

Conversation

@woodruffw
Copy link
Copy Markdown
Member

@woodruffw woodruffw commented Jul 31, 2025
edited
Loading

90% of this is from --fix=unsafe, with the rest
being being my manual fixups.

In addition to the fixes themselves, I've done the following:

  • I added a new top-level workflow that will flag any additional findings in the future (both inline in PRs and also in GitHub's "advanced security" integration). That latter one might need to be disabled though if the org doesn't have it enabled, though.
  • I added GitHub Actions to the Dependabot config, and also enabled cooldown everywhere to make it a bit harder for us to introduce newly broken or compromised deps. It's not perfect, but it's better than realtime consumption given that we're already on a monthly deps schedule 🙂

Signed-off-by: William Woodruff william@astral.sh

woodruffw added 3 commits July 31, 2025 14:21
@woodruffw
chore(ci): apply security fixes, add zizmor workflow
61e3fba 
90% of this is from `--fix=unsafe`, with the rest
being being my manual fixups.

Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw
dependabot: keep github-actions updated
d72512a 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw
add cooldowns to dependabot
2d4fc52 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw requested a review from geofft July 31, 2025 18:28
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Jul 31, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@woodruffw
fixup variable interpolation for shell: cmd
c287a1c 
Signed-off-by: William Woodruff <william@astral.sh>
zanieb
zanieb reviewed Jul 31, 2025
View reviewed changes
Comment thread .github/workflows/zizmor.yml Outdated
@woodruffw
fewer cutesy emojis
15dbd3b 
Signed-off-by: William Woodruff <william@astral.sh>
@woodruffw woodruffw marked this pull request as ready for review July 31, 2025 20:25
@woodruffw woodruffw merged commit 98ed871 into main Aug 1, 2025
439 checks passed
@woodruffw woodruffw deleted the ww/ci-fixes branch August 1, 2025 14:25
@zanieb zanieb mentioned this pull request Aug 7, 2025
Merged
zanieb added a commit that referenced this pull request Aug 7, 2025
@zanieb
Fix label subsetting (#731)
4cfefb5 
Regressed in #716
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zanieb zanieb zanieb approved these changes

@geofft geofft Awaiting requested review from geofft

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@woodruffw @github-advanced-security @zanieb