Skip to content

CI(zizmor): Add per-repo zizmor security audit workflow #289

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ModeSevenIndustrialSolutions wants to merge 4 commits into
base: main
Choose a base branch
from
+572 −2
Open

CI(zizmor): Add per-repo zizmor security audit workflow #289

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a083f0a
CI(zizmor): Add per-repo zizmor security audit workflow
ModeSevenIndustrialSolutions May 12, 2026
7167d00
CI(dependabot): Add 7-day cooldown to all ecosystems
ModeSevenIndustrialSolutions May 13, 2026
c94c165
CI(autolabeler): Suppress zizmor dangerous-triggers warning
ModeSevenIndustrialSolutions May 13, 2026
24fdde3
CI(zizmor): Address Copilot review feedback
ModeSevenIndustrialSolutions May 13, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,14 @@

version: 2
updates:
- package-ecosystem: "github-actions"

Check warning on line 7 in .github/dependabot.yml

View workflow job for this annotation

GitHub Actions / Audit workflows

zizmor: zizmor/dependabot-cooldown 

insufficient cooldown in Dependabot updates
directory: "/"
schedule:
interval: "weekly"
commit-message:
prefix: "Chore"
open-pull-requests-limit: 15
- package-ecosystem: "uv"

Check warning on line 14 in .github/dependabot.yml

View workflow job for this annotation

GitHub Actions / Audit workflows

zizmor: zizmor/dependabot-cooldown 

insufficient cooldown in Dependabot updates
directory: "/"
schedule:
interval: "weekly"
Expand All @@ -20,3 +20,14 @@
open-pull-requests-limit: 15
exclude-paths:
- "LICENSES/**"
# Pip entry exists solely to keep the zizmor pin in
# .github/dependabot/zizmor-requirements.txt up to date; that
# file is consumed at run-time by .github/workflows/zizmor.yaml
# via grep, never installed via pip.
- package-ecosystem: "pip"

Check warning on line 27 in .github/dependabot.yml

View workflow job for this annotation

GitHub Actions / Audit workflows

zizmor: zizmor/dependabot-cooldown 

insufficient cooldown in Dependabot updates
directory: "/.github/dependabot"
schedule:
interval: "weekly"
commit-message:
prefix: "Chore"
open-pull-requests-limit: 5
Comment thread
ModeSevenIndustrialSolutions marked this conversation as resolved.
14 changes: 14 additions & 0 deletions .github/dependabot/zizmor-requirements.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2026 The Linux Foundation
#
# Pin for the zizmor static analyser used by
# .github/workflows/zizmor.yaml.
#
# This file exists solely so Dependabot can keep the zizmor version
# current via its pip ecosystem (see ../dependabot.yml). The
# workflow reads the pin from this file at run-time with grep; it
# is never installed by pip itself.
#
# Edit format: a single line of `zizmor==<version>`. Do not add
# other packages here.
zizmor==1.24.1
Loading
Loading