Skip to content

Do not use pip-install; add dependency cooldowns#5146

Open
JelleZijlstra wants to merge 1 commit into
psf:mainfrom
JelleZijlstra:codex/zizmor-low-severity
Open

Do not use pip-install; add dependency cooldowns#5146
JelleZijlstra wants to merge 1 commit into
psf:mainfrom
JelleZijlstra:codex/zizmor-low-severity

Conversation

@JelleZijlstra
Copy link
Copy Markdown
Collaborator

@JelleZijlstra JelleZijlstra commented May 21, 2026

Zizmor recommends against pip-install (https://docs.zizmor.sh/audits/#misfeature).

Also add dependency cooldowns to prevent supply-chain compromises.

@JelleZijlstra JelleZijlstra added the ci: skip news Pull requests that don't need a changelog entry. label May 21, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 21, 2026

diff-shades results comparing this PR (8a0b468) to main (7613840):

--preview style: no changes

--stable style: no changes

What is this? | Workflow run | diff-shades documentation

@cobaltt7
Copy link
Copy Markdown
Collaborator

cobaltt7 commented May 21, 2026

Zizmor recommends against pip-install because it installs dependencies to the global scope and makes them vulnerable to dependency conflicts. This change does the same thing, just without being flagged by Zizmor. The correct fix to this would be to create a venv inside the workflow and install dependencies there. IMO that's overkill and unnecessary because there's only one pip-install per job and not much opportunity for conflicts

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ci: skip news Pull requests that don't need a changelog entry.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@JelleZijlstra @cobaltt7