Skip to content

🧪 Integrate Zizmor checks into GHA CI/CD#2327

Open
webknjaz wants to merge 2 commits intojazzband:mainfrom
webknjaz:maintenance/gha-security-zizmor
Open

🧪 Integrate Zizmor checks into GHA CI/CD#2327
webknjaz wants to merge 2 commits intojazzband:mainfrom
webknjaz:maintenance/gha-security-zizmor

Conversation

@webknjaz
Copy link
Member

@webknjaz webknjaz commented Feb 9, 2026
edited
Loading

Warning

This is blocked on @jezdez handling jazzband/help#422.

This linter guards against common insecure setups in GitHub Actions and Workflows. It is authored and maintained by a member of the PyPA, contributor to PyPI, former employee of the Trail Of Bits.

Ref: https://zizmor.sh

Contributor checklist
  • Included tests for the changes.
  • A change note is created in changelog.d/ (see changelog.d/README.md
    for instructions) or the PR text says "no changelog needed".
Maintainer checklist
  • If no changelog is needed, apply the bot:chronographer:skip label.
  • Assign the PR to an existing or new milestone for the target version
    (following Semantic Versioning).

@webknjaz webknjaz added this to the later milestone Feb 9, 2026
@webknjaz webknjaz requested a review from a team as a code owner February 9, 2026 13:25
@webknjaz webknjaz added maintenance Related to maintenance processes ci Related to continuous integration tasks labels Feb 9, 2026
webknjaz added a commit to webknjaz/pip-tools that referenced this pull request Feb 9, 2026
@webknjaz
Add a change note for PR jazzband#2327
9edfa1b
@webknjaz webknjaz enabled auto-merge February 9, 2026 13:28
@webknjaz webknjaz mentioned this pull request Feb 9, 2026
Open
@webknjaz
Copy link
Member Author

webknjaz commented Feb 9, 2026

This is now waiting for @jezdez to handle jazzband/help#422.

webknjaz added a commit to webknjaz/pip-tools that referenced this pull request Feb 9, 2026
@webknjaz
Add a change note for PR jazzband#2327
55c31a0
@webknjaz webknjaz force-pushed the maintenance/gha-security-zizmor branch from 9edfa1b to 55c31a0 Compare February 9, 2026 16:32
@sirosen
Copy link
Member

sirosen commented Feb 10, 2026

Can/should we add a tox environment for this too?

@webknjaz
Copy link
Member Author

webknjaz commented Feb 10, 2026

I'd say pre-commit, not tox directly. But wanted to start here. You could send in another PR with that while this one is blocked.

@webknjaz
🧪 Integrate Zizmor checks into GHA CI/CD
300ffb2 
This linter guards against common insecure setups in GitHub Actions
and Workflows. It is authored and maintained by a member of the PyPA,
contributor to PyPI, former employee of the Trail Of Bits.

Ref: https://zizmor.sh
@webknjaz
Add a change note for PR jazzband#2327
e19e56a
@webknjaz webknjaz force-pushed the maintenance/gha-security-zizmor branch from 55c31a0 to e19e56a Compare February 10, 2026 14:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bot:chronographer:provided ci Related to continuous integration tasks maintenance Related to maintenance processes

Projects

None yet

Milestone

later

Development

Successfully merging this pull request may close these issues.

2 participants

@webknjaz @sirosen

Comments