Skip to content

ci: add zizmor static analysis for the workflows#1016

Merged
krassowski merged 2 commits into
jupyterlab:masterfrom
notluquis:ci-zizmor
Jul 2, 2026
Merged

ci: add zizmor static analysis for the workflows#1016
krassowski merged 2 commits into
jupyterlab:masterfrom
notluquis:ci-zizmor

Conversation

@notluquis

Copy link
Copy Markdown
Collaborator

Adds zizmor static analysis over the GitHub Actions workflows, based on the one JupyterLab core runs. This answers the "do we have zizmor setup" question from the review on #996.

It's report-only for now: the existing workflows still have a handful of findings (a couple of unscoped app-token permissions, some checkouts missing persist-credentials: false, one template-injection), so instead of failing the build it uploads results to the Security tab via SARIF. A follow-up PR fixes those findings and flips this to a hard gate.

Runs offline (no token passed), so it skips the online-only audits and avoids the API rate limits the zizmor docs warn about.

Put this together with Claude Code, using JupyterLab's zizmor workflow as the base and running zizmor against our workflows locally to confirm it works.

Runs zizmor over .github/workflows and publishes results to the Security tab
via SARIF. Report-only for now (continue-on-error) since the existing
workflows still have findings to clear; a follow-up fixes those and turns this
into a hard gate. Answers the "do we have zizmor setup" question from the
review on jupyterlab#996.

Based this on jupyterlab's own zizmor workflow and put it together with Claude
Code, running zizmor against our workflows locally to confirm it works.
Copilot AI review requested due to automatic review settings July 2, 2026 03:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@krassowski krassowski merged commit 17a099a into jupyterlab:master Jul 2, 2026
10 checks passed
@notluquis notluquis deleted the ci-zizmor branch July 2, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants