Skip to content

ci: add GitHub Actions workflow for Zig tests#193

Closed
unliftedq wants to merge 4 commits intojustrach:mainfrom
unliftedq:add-test-pipeline
Closed

ci: add GitHub Actions workflow for Zig tests#193
unliftedq wants to merge 4 commits intojustrach:mainfrom
unliftedq:add-test-pipeline

Conversation

@unliftedq
Copy link
Copy Markdown
Contributor

@unliftedq unliftedq commented Apr 7, 2026

Introduced a new test pipeline to make sure there's no unexpected regressions.

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Apr 7, 2026
View reviewed changes
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 1f4b49d87b

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Comment thread .github/workflows/zig-tests.yml
Comment on lines +42 to +43
curl -L "https://ziglang.org/download/${ZIG_VERSION}/${{ matrix.zig_archive }}" -o zig.tar.xz
tar -xf zig.tar.xz
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot Apr 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Verify Zig download before executing in CI

In .github/workflows/zig-tests.yml (checked the Install Zig steps for both non-Windows and Windows), the workflow downloads Zig archives directly from the network and immediately extracts/runs them without any checksum or signature verification. This creates a supply-chain risk: if the download endpoint or transit path is compromised, attacker-controlled binaries can execute in CI (including push runs where secrets may be present). Add an integrity check (e.g., pinned SHA-256 per archive/version, or verified signature) before extraction in both install branches.

Useful? React with 👍 / 👎.

justrach
justrach requested changes Apr 11, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@justrach justrach left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for wiring up the Zig test workflow. This is useful.

One blocking issue before merge: both Zig install branches currently download archives from the network and immediately extract/run them without any integrity verification. Please pin and verify the archive checksum (or another equivalent integrity mechanism) for both the Unix and Windows downloads before extraction.

Once that is in, rerun the workflow and tag @codex review again.

@unliftedq unliftedq closed this Apr 14, 2026
@unliftedq unliftedq deleted the add-test-pipeline branch April 14, 2026 02:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@justrach justrach justrach requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@unliftedq @justrach