use zizmor config

dunglas · dunglas · commit f51693cb639b · 2026-04-24T17:15:43.000+02:00
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -80,8 +80,6 @@ jobs:
           VERSION: ${{ (github.ref_type == 'tag' && github.ref_name) || steps.check.outputs.ref || 'dev' }}
           PHP_VERSION: ${{ steps.check.outputs.php_version }}
   build:
-    # TODO: re-enable the environment when the GitHub UI supports grouping or masking environment notifications (they pollute pull requests right now)
-    #environment: dockerhub
     runs-on: ${{ startsWith(matrix.platform, 'linux/arm') && 'ubuntu-24.04-arm' || 'ubuntu-24.04' }}
     needs:
       - prepare
@@ -206,8 +204,6 @@ jobs:
 
   # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
   push:
-    # TODO: re-enable the environment when the GitHub UI supports grouping or masking environment notifications (they pollute pull requests right now)
-    #environment: dockerhub
     runs-on: ubuntu-24.04
     needs:
       - prepare
diff --git a/.github/workflows/static.yaml b/.github/workflows/static.yaml
@@ -84,8 +84,6 @@ jobs:
           VERSION: ${{ steps.check.outputs.ref || 'dev' }}
 
   build-linux-musl:
-    # TODO: re-enable the environment when the GitHub UI supports grouping or masking environment notifications (they pollute Pull Requests right now)
-    #environment: dockerhub
     permissions:
       contents: write
       id-token: write
@@ -221,8 +219,6 @@ jobs:
           BINARY: ./frankenphp-linux-${{ matrix.platform == 'linux/amd64' && 'x86_64' || 'aarch64' }}${{ matrix.debug && '-debug' || '' }}${{ matrix.mimalloc && '-mimalloc' || '' }}
 
   build-linux-gnu:
-    # TODO: re-enable the environment when the GitHub UI supports grouping or masking environment notifications, because they pollute pull requests right now
-    #environment: dockerhub
     permissions:
       contents: write
       id-token: write
@@ -381,8 +377,6 @@ jobs:
 
   # Adapted from https://docs.docker.com/build/ci/github-actions/multi-platform/
   push:
-    # TODO: re-enable the environment when the GitHub UI supports grouping or masking environment notifications (they pollute pull requests right now)
-    #environment: dockerhub
     runs-on: ubuntu-24.04
     needs:
       - prepare
diff --git a/zizmor.yaml b/zizmor.yaml
@@ -4,3 +4,8 @@ rules:
     config:
       policies:
         "*": ref-pin
+  secrets-outside-env:
+    config:
+      allow:
+        # TODO: re-enable the environment when the GitHub UI supports grouping or masking environment notifications (they pollute pull requests right now)
+        - DOCKERHUB_TOKEN
