Skip to content

ci: Fix zizmor security findings in GitHub Actions#1998

Merged
tekton-robot merged 1 commit intotektoncd:mainfrom
infernus01:ci-zizmor
Apr 27, 2026
Merged

ci: Fix zizmor security findings in GitHub Actions#1998
tekton-robot merged 1 commit intotektoncd:mainfrom
infernus01:ci-zizmor

Conversation

@infernus01
Copy link
Copy Markdown
Member

@infernus01 infernus01 commented Apr 16, 2026
edited
Loading

Changes

Fix security findings reported by zizmor v1.24.1,
a static analysis tool for GitHub Actions, and add zizmor as a CI check.

Ref: tektoncd/pipeline#9667.

Closes #1982

  • Add .github/workflows/zizmor.yaml that runs on pushes to main and all PRs
  • Uses zizmorcore/zizmor-action to upload SARIF results to GitHub Advanced Security

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

  • Has Docs if any changes are user facing, including updates to minimum requirements e.g. Kubernetes version bumps
  • Has Tests included if any functionality added or changed
  • Follows the commit message standard
  • Meets the Tekton contributor standards (including functionality, content, code)
  • Has a kind label. You can add one by adding a comment on this PR that contains /kind <type>. Valid types are bug, cleanup, design, documentation, feature, flake, misc, question, tep
  • Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings). See some examples of good release notes.
  • Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

NONE

@infernus01
ci: Fix zizmor security findings in GitHub Actions
8224cd1 
Signed-off-by: Shubham Bhardwaj <shubbhar@redhat.com>
@tekton-robot tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label Apr 16, 2026
@tekton-robot tekton-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 16, 2026
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented Apr 16, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@infernus01
Copy link
Copy Markdown
Member Author

infernus01 commented Apr 16, 2026

/retest

1 similar comment
@khrm
Copy link
Copy Markdown
Contributor

khrm commented Apr 16, 2026

/retest

@infernus01 infernus01 closed this Apr 17, 2026
@infernus01 infernus01 reopened this Apr 17, 2026
@infernus01
Copy link
Copy Markdown
Member Author

infernus01 commented Apr 20, 2026

/cc @khrm

khrm
khrm reviewed Apr 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@khrm khrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@khrm
Copy link
Copy Markdown
Contributor

khrm commented Apr 27, 2026

/lgtm

@tekton-robot
Copy link
Copy Markdown

tekton-robot commented Apr 27, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: khrm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tekton-robot tekton-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 27, 2026
@tekton-robot tekton-robot added the lgtm Indicates that a PR is ready to be merged. label Apr 27, 2026
@khrm
Copy link
Copy Markdown
Contributor

khrm commented Apr 27, 2026

/kind misc

@tekton-robot tekton-robot added the kind/misc Categorizes issue or PR as a miscellaneuous one. label Apr 27, 2026
@tekton-robot tekton-robot merged commit 117a7d9 into tektoncd:main Apr 27, 2026
24 of 26 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@khrm khrm khrm left review comments

@savitaashture savitaashture Awaiting requested review from savitaashture

Assignees

@khrm khrm

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. kind/misc Categorizes issue or PR as a miscellaneuous one. lgtm Indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesnt merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: Run zizmor on GitHub Actions and fix security findings

4 participants

@infernus01 @github-advanced-security @khrm @tekton-robot