From 587087043533173bec2a4744196fe6e96d29c6bb Mon Sep 17 00:00:00 2001 From: Lucas Pulgar-Escobar <51384279+notluquis@users.noreply.github.com> Date: Wed, 1 Jul 2026 23:39:05 -0400 Subject: [PATCH] ci: add zizmor static analysis for the workflows Runs zizmor over .github/workflows and publishes results to the Security tab via SARIF. Report-only for now (continue-on-error) since the existing workflows still have findings to clear; a follow-up fixes those and turns this into a hard gate. Answers the "do we have zizmor setup" question from the review on #996. Based this on jupyterlab's own zizmor workflow and put it together with Claude Code, running zizmor against our workflows locally to confirm it works. --- .github/workflows/zizmor.yml | 41 ++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..5d33e005 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,41 @@ +# Static analysis of the GitHub Actions workflows with zizmor. +# https://github.com/zizmorcore/zizmor +name: GitHub Actions security (zizmor) + +on: + push: + branches: [master] + pull_request: + branches: ["**"] + +permissions: {} + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + permissions: + security-events: write # upload-sarif needs this to publish results + steps: + - name: Checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + + - name: Install uv + uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0 + + - name: Run zizmor + # Report only for now. The existing workflows still have findings to work + # through, so this uploads results to the Security tab instead of failing + # the build. Flip to a hard gate once they're cleared. No token is passed, + # so zizmor runs offline (skips the online-only audits) and avoids the API + # rate limits its docs warn about. + continue-on-error: true + run: uvx zizmor@1.25.2 --format=sarif . > results.sarif + + - name: Upload SARIF + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1 + with: + sarif_file: results.sarif + category: zizmor