Commit 1a986716 authored Apr 05, 2025 by Winter Committed by Thomas Gerbet Oct 26, 2025

ci: add zizmor check and configuration

`zizmor` is a tool that uses static analysis to find potential security
issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub
made a CI system so complicated that tools like this were created, but
I digress.)

Given our increase in GHA usage recently, I think this is a good step
towards keeping our security posture in tip-top shape. (It also keeps
with the theme of automating as many things as possible!)

The rule related to the usages of dangerous-triggers have been disabled
to avoid false-positives. Explanations about the usage of
`pull_request_target` and expectations around its usage can be found in
`.github/workflows/README.md`.

[0]: https://woodruffw.github.io/zizmor/



Co-authored-by: Thomas Gerbet <thomas@gerbet.me>

parent 65bb0959

.github/zizmor.yml

0 → 100644

+12 −0

Original line number	Diff line number	Diff line
		# This file defines the ignore rules for zizmor.
		#
		# For rules that contain a high number of false positives, prefer listing them here
		# instead of adding ignore comments. Note that zizmor cannot ignore by line-within-a-string, so
		# there are some ignore items that encompass multiple problems within one `run` block. An issue
		# tracking this is at https://github.com/woodruffw/zizmor/issues/648.
		#
		# For more info, see the documentation: https://woodruffw.github.io/zizmor/usage/#ignoring-results

		rules:
		dangerous-triggers:
		disable: true

ci/default.nix

+2 −0

Original line number	Diff line number	Diff line
		@@ -136,6 +136,8 @@ let
		[ "--config=${config}" ];
		includes = [ "*.md" ];
		};

		programs.zizmor.enable = true;
		};
		fs = pkgs.lib.fileset;
		nixFilesSrc = fs.toSource {