Skip to content

🌱 add zizmor scanner#934

Merged
metal3-io-bot merged 1 commit intometal3-io:mainfrom
Nordix:tuomo/add-zizmor
Mar 6, 2026
Merged

🌱 add zizmor scanner#934
metal3-io-bot merged 1 commit intometal3-io:mainfrom
Nordix:tuomo/add-zizmor

Conversation

@tuminoid
Copy link
Copy Markdown
Member

@tuminoid tuminoid commented Mar 6, 2026
edited
Loading

Zizmor scans workflow files to keep them hardened. It runs on push to produce a report in security tab, and it runs on PRs and blocks them if they is any errors.

- Harden dependabot workflow: disable persist-credentials on checkout,
  pass token explicitly to add-and-commit action
- Suppress artipacked on release workflow checkout that needs
  credentials for pushing branches and tags
- Suppress superfluous-actions on softprops/action-gh-release pending
  replacement with gh CLI

@tuminoid
Copy link
Copy Markdown
Member Author

tuminoid commented Mar 6, 2026

/hold
This is expected to fail, I will adjust.

@metal3-io-bot metal3-io-bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Mar 6, 2026
@tuminoid
add zizmor scanner
d60bab6 
Zizmor scans workflow files to keep them hardened. It runs on push to
produce a report in security tab, and it runs on PRs and blocks them
if they is any errors.

- Suppress artipacked on release workflow checkout that needs
  credentials for pushing branches and tags
- Suppress superfluous-actions on softprops/action-gh-release pending
  replacement with gh CLI

Signed-off-by: Tuomo Tanskanen <tuomo.tanskanen@est.tech>
@tuminoid
Copy link
Copy Markdown
Member Author

tuminoid commented Mar 6, 2026

/unhold

@metal3-io-bot metal3-io-bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 6, 2026
lentzi90
lentzi90 reviewed Mar 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@lentzi90 lentzi90 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@metal3-io-bot metal3-io-bot added the lgtm Indicates that a PR is ready to be merged. label Mar 6, 2026
@lentzi90
Copy link
Copy Markdown
Member

lentzi90 commented Mar 6, 2026

/retest

@tuminoid
Copy link
Copy Markdown
Member Author

tuminoid commented Mar 6, 2026

/override metal3-centos-e2e-integration-test-main
/override metal3-ubuntu-e2e-integration-test-main

@metal3-io-bot
Copy link
Copy Markdown
Contributor

metal3-io-bot commented Mar 6, 2026

@tuminoid: Overrode contexts on behalf of tuminoid: metal3-centos-e2e-integration-test-main, metal3-ubuntu-e2e-integration-test-main

Details

In response to this:

/override metal3-centos-e2e-integration-test-main
/override metal3-ubuntu-e2e-integration-test-main

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@tuminoid
Copy link
Copy Markdown
Member Author

tuminoid commented Mar 6, 2026

/cc @Rozzii

@metal3-io-bot metal3-io-bot requested a review from Rozzii March 6, 2026 12:55
@elfosardo
Copy link
Copy Markdown
Member

elfosardo commented Mar 6, 2026

/approve

@metal3-io-bot
Copy link
Copy Markdown
Contributor

metal3-io-bot commented Mar 6, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: elfosardo

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@metal3-io-bot metal3-io-bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 6, 2026
@metal3-io-bot metal3-io-bot merged commit 4854e56 into metal3-io:main Mar 6, 2026
25 of 27 checks passed
@metal3-io-bot metal3-io-bot deleted the tuomo/add-zizmor branch March 6, 2026 14:31
@metal3-io-bot metal3-io-bot added this to the ironic-image - v35.0 milestone Mar 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@elfosardo elfosardo Awaiting requested review from elfosardo

@iurygregory iurygregory Awaiting requested review from iurygregory

@Rozzii Rozzii Awaiting requested review from Rozzii

1 more reviewer

@lentzi90 lentzi90 lentzi90 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

ironic-image - v35.0

Development

Successfully merging this pull request may close these issues.

4 participants

@tuminoid @lentzi90 @metal3-io-bot @elfosardo