Skip to content

Add pinact and zizmor workflow checks#653

Open
demeyerthom wants to merge 1 commit intomainfrom
pin-actions
Open

Add pinact and zizmor workflow checks#653
demeyerthom wants to merge 1 commit intomainfrom
pin-actions

Conversation

@demeyerthom
Copy link
Copy Markdown
Member

@demeyerthom demeyerthom commented Apr 28, 2026

This PR adds two GitHub Actions workflows:

  • pinact: Checks that all GitHub Actions are pinned to commit SHAs
  • zizmor: Runs security analysis on GitHub Actions workflows

Copilot AI review requested due to automatic review settings April 28, 2026 13:19
@demeyerthom demeyerthom requested a review from a team as a code owner April 28, 2026 13:19
@demeyerthom demeyerthom self-assigned this Apr 28, 2026
Copilot AI reviewed Apr 28, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds automated GitHub Actions workflow security checks (pinning verification and zizmor analysis) and updates existing workflows to use pinned action SHAs.

Changes:

  • Add new pinact workflow to verify all GitHub Actions usages are pinned to commit SHAs.
  • Add new zizmor workflow to run GitHub Actions workflow security analysis.
  • Update multiple existing workflows to pin uses: references to specific commit SHAs (and adjust some workflow settings/conditions).

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
.github/workflows/zizmor.yaml New workflow to run zizmor on workflow/action changes and on main pushes.
.github/workflows/pinact.yaml New workflow to verify action pinning on workflow/action changes.
.github/workflows/triage.yaml Pin third-party and GitHub actions to SHAs.
.github/workflows/tests.yaml Pin actions to SHAs; tweak setup-go configuration.
.github/workflows/release.yaml Pin actions to SHAs; tweak setup-go configuration.
.github/workflows/dependabot-changie.yaml Pin actions to SHAs and adjust Dependabot-only gating condition.
.github/workflows/copilot-setup-steps.yaml Pin actions to SHAs; tweak setup-go configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/pinact.yaml
jobs:
pinact:
# Only run on pull requests from the same repository
if: github.event.pull_request.head.repo.full_name == github.repository
Copy link

Copilot AI Apr 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pinact job-level if references github.event.pull_request..., but this workflow also runs on push to main. On push events github.event.pull_request is undefined, so the expression can fail evaluation and break the workflow on every push. Either remove the push trigger, or guard the condition (e.g., check github.event_name == 'pull_request' before accessing github.event.pull_request).

Suggested change
if: github.event.pull_request.head.repo.full_name == github.repository
if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@demeyerthom demeyerthom

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@demeyerthom