From f84ac76cbc741d67e2c0b7327accbed6f7ea52ae Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 27 Mar 2026 21:21:21 +0100 Subject: [PATCH 1/2] zizmor workflow --- .github/workflows/zizmor.yml | 27 +++++++++++++++++++++++++++ .github/zizmor.yml | 4 ++++ 2 files changed, 31 insertions(+) create mode 100644 .github/workflows/zizmor.yml create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000000..f9ad275247c --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,27 @@ +name: zizmor + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +on: + workflow_dispatch: + push: + branches: + - 'master' + - 'releases/v*' + pull_request: + +jobs: + run: + uses: crazy-max/.github/.github/workflows/zizmor.yml@bbd31df64ee0f097a02f12495f541f9236f18c46 # v1.2.0 + permissions: + contents: read + security-events: write + with: + min-severity: medium + min-confidence: medium + persona: pedantic diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000000..6aee3c5d6d3 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,4 @@ +# https://docs.zizmor.sh/configuration/ +rules: + secrets-outside-env: + disable: true From 22d688c1bbe3fc81c46cc3acfeb001ab53ffc2a7 Mon Sep 17 00:00:00 2001 From: CrazyMax <1951866+crazy-max@users.noreply.github.com> Date: Fri, 27 Mar 2026 21:21:56 +0100 Subject: [PATCH 2/2] fix zizmor findings --- .github/dependabot.yml | 4 ++++ .github/workflows/ci.yml | 8 +++----- .github/workflows/cleanup.yml | 6 ++---- .github/workflows/labels.yml | 11 ++++------- .github/workflows/validate.yml | 7 +++---- 5 files changed, 16 insertions(+), 20 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 7d74ef691be..04384129953 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,6 +4,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 labels: - "kind/dependencies" - "bot" @@ -11,6 +13,8 @@ updates: directory: "/" schedule: interval: "daily" + cooldown: + default-days: 2 versioning-strategy: "increase" allow: - dependency-type: "production" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index f01e4fcd0d2..831acf1c3ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -4,7 +4,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -21,8 +20,7 @@ jobs: ci: runs-on: ubuntu-latest permissions: - # required to push to gh-pages - contents: write + contents: write # required to push to gh-pages strategy: fail-fast: false matrix: @@ -36,7 +34,7 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Init run: | @@ -95,7 +93,7 @@ jobs: tree -f -h ./public - name: Check GitHub Pages status - uses: crazy-max/ghaction-github-status@v4 + uses: crazy-max/ghaction-github-status@fa6ac37620bc5d44b93e15caed498629665e9ff5 # v4.2.0 with: pages_threshold: major_outage - diff --git a/.github/workflows/cleanup.yml b/.github/workflows/cleanup.yml index b1699f532b2..1aa144529aa 100644 --- a/.github/workflows/cleanup.yml +++ b/.github/workflows/cleanup.yml @@ -4,7 +4,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -17,8 +16,7 @@ jobs: branches: runs-on: ubuntu-latest permissions: - # required to remove git branch - contents: write + contents: write # required to remove git branch strategy: fail-fast: false matrix: @@ -28,7 +26,7 @@ jobs: steps: - name: Delete branch - uses: actions/github-script@v8 + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 with: script: | await github.rest.git.deleteRef({ diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml index 00c66758578..0af553574c0 100644 --- a/.github/workflows/labels.yml +++ b/.github/workflows/labels.yml @@ -4,7 +4,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -24,16 +23,14 @@ jobs: labeler: runs-on: ubuntu-latest permissions: - # same as global permissions - contents: read - # required to update labels - issues: write + contents: read # same as global permissions + issues: write # required to update labels steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Run Labeler - uses: crazy-max/ghaction-github-labeler@v5 + uses: crazy-max/ghaction-github-labeler@24d110aa46a59976b8a7f35518cb7f14f434c916 # v5.3.0 with: dry-run: ${{ github.event_name == 'pull_request' }} diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index a93c0664b1e..1ca68832428 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -4,7 +4,6 @@ concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true -# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions permissions: contents: read @@ -27,11 +26,11 @@ jobs: steps: - name: Checkout - uses: actions/checkout@v6 + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: List targets id: generate - uses: docker/bake-action/subaction/list-targets@v6 + uses: docker/bake-action/subaction/list-targets@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0 with: target: validate @@ -46,6 +45,6 @@ jobs: steps: - name: Validate - uses: docker/bake-action@v6 + uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0 with: targets: ${{ matrix.target }}