Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Integrate zizmor checks to repo #818

Draft
wants to merge 2 commits into
base: master
Choose a base branch
from
Draft

ci: Integrate zizmor checks to repo #818

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0b07b03
ci: Integrate zizmor checks to repo
MaxymVlasov Feb 14, 2025
9bd1771
f
MaxymVlasov Feb 14, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,12 @@ repos:
# https://prettier.io/docs/en/options.html#parser
files: .json5$

# Github Action static analysis tool
- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v1.3.1
hooks:
- id: zizmor
Comment on lines +68 to +72
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Verify Zizmor version and consider additional configuration options.

The integration looks good, but let's verify a few things:

🏁 Script executed:

#!/bin/bash
# Description: Check if there are any issues or security advisories for zizmor-pre-commit

# Check for issues and PRs that might indicate problems with v1.3.1
gh api graphql -f query='
{
  repository(owner: "woodruffw", name: "zizmor-pre-commit") {
    issues(first: 5, states: OPEN) {
      nodes {
        title
        body
        createdAt
      }
    }
    releases(first: 1) {
      nodes {
        tagName
        createdAt
      }
    }
  }
}'

Length of output: 422

🌐 Web query:

What is the latest version of zizmor-pre-commit and what are its recommended configuration options?

💡 Result:

The latest version of zizmor-pre-commit is v1.1.1, as shown in configuration examples from multiple repositories including CPython's official GitHub repository[1][3]. This version is recommended for integration with pre-commit frameworks.

Recommended configuration options:

repos:
  - repo: https://github.com/woodruffw/zizmor-pre-commit
    rev: v1.1.1  # Latest stable release
    hooks:
      - id: zizmor

Key implementation details:

  • The hook requires no additional arguments by default[1]
  • Primarily targets YAML files in GitHub Actions workflows (/.github/workflows/)[6][7]
  • Works alongside other pre-commit hooks like Ruff and Black in typical Python project setups[3][6]

For security-focused repositories, consider combining it with complementary hooks like:

- repo: https://github.com/pre-commit/pre-commit-hooks
  rev: v4.4.0
  hooks:
    - id: check-yaml
    - id: detect-private-key

Citations:

Action Required: Update Zizmor Pre-commit Version

  • The current configuration in .pre-commit-config.yaml uses rev: v1.3.1, but research indicates that the recommended stable version is v1.1.1.
  • Confirm that no additional configuration options are required for your integration. While Zizmor doesn't need extra arguments, you might consider complementary security hooks (e.g., check-yaml, detect-private-key) if needed.
  • The hook's placement between Prettier and Mypy appears logical and should not conflict with other checks.


- repo: https://github.com/pre-commit/mirrors-mypy.git
rev: v1.15.0
hooks:
Expand Down
Loading