Skip to content

ci: use official zizmor action with PR annotations#395

Merged
kibertoad merged 3 commits into
mainfrom
tighten-zizmor-workflow
May 17, 2026
Merged

ci: use official zizmor action with PR annotations#395
kibertoad merged 3 commits into
mainfrom
tighten-zizmor-workflow

Conversation

@kibertoad

@kibertoad kibertoad commented May 17, 2026

Copy link
Copy Markdown
Owner

Summary

  • Switch the zizmor workflow from manual uvx zizmor + SARIF upload to the official zizmorcore/zizmor-action pinned to v0.5.6.
  • Enable annotations: true so findings appear as inline GitHub annotations on PR diffs.
  • Drop security-events: write and actions: read permissions (no longer needed without SARIF/Advanced Security upload); job now runs with contents: read only, and the workflow-level permissions: {} removes the default token scope for any future jobs.
  • Build fails automatically when zizmor finds anything — the action preserves zizmor's non-zero exit code on findings.

Test plan

  • Confirm the zizmor check runs green on this PR (no current findings).
  • Verify annotations show up inline in the Files Changed tab if/when findings are introduced (can be sanity-checked by temporarily adding a vulnerable pattern in a follow-up).

🤖 Generated with Claude Code

@claude
ci: use official zizmor action with PR annotations
8d4365c 
Switch from manual uvx zizmor + SARIF upload to the official
zizmorcore/zizmor-action. Annotations mode emits inline GitHub
annotations on PR diffs, and zizmor's non-zero exit on findings
fails the build automatically.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented May 17, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Rate limit exceeded

@kibertoad has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 20 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9bccefb6-d749-4984-b750-b4d6b67de7f9

📥 Commits

Reviewing files that changed from the base of the PR and between ad490eb and 955a621.

📒 Files selected for processing (4)
  • .github/workflows/ci.yml
  • .github/workflows/coverage.yml
  • .github/workflows/publish.yml
  • .github/workflows/zizmor.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch tighten-zizmor-workflow

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Igor Savin and others added 2 commits May 17, 2026 19:40
@claude
ci: fix zizmor findings across existing workflows
9fe2703 
The strict zizmor mode flagged real issues that the previous SARIF-
only setup was silently uploading:

- Pin all third-party actions by SHA (ci, coverage, publish).
- Add workflow-level permissions: {} and minimal job-level
  permissions blocks.
- Set persist-credentials: false on all checkouts. For publish.yml,
  which needs to push, configure auth via a tokenized remote URL
  using env vars instead of relying on the persisted credential.
- Refactor template expansions in publish.yml run blocks to use
  env vars, avoiding template-injection notices.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@claude
ci: dereference pnpm/action-setup annotated tag to commit SHA
955a621 
The previous SHA was the annotated tag object's SHA, not the commit
it points to — zizmor's hash-pin verifier flagged this.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@kibertoad kibertoad merged commit 37930fc into main May 17, 2026
6 checks passed
@kibertoad kibertoad deleted the tighten-zizmor-workflow branch May 17, 2026 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip-release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@kibertoad