Skip to content

ci: add zizmor checks to lint github actions workflows#215

Merged
mdevolde merged 1 commit into
jxmorris12:masterfrom
mdevolde:ci/zizmor
Jul 2, 2026
Merged

ci: add zizmor checks to lint github actions workflows#215
mdevolde merged 1 commit into
jxmorris12:masterfrom
mdevolde:ci/zizmor

Conversation

@mdevolde

@mdevolde mdevolde commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator

ci: add zizmor checks to lint github actions workflows

Why the pull request was made

To ensure that our github actions workflows adopt good practices and are safe (important to manipulate secrets in a proper way, and reduce risks of supply chains attacks).

Summary of changes

  • Add zizmor to quality group in pyproject.toml.
  • Add a zizmor workflow in github actions workflows, that is triggered if a file that match .github/workflows/* is modified.
  • Add zizmor checks in pre commit checks.
  • Add zizmor target in makefiles.
  • Fix zizmor warnings in github actions workflows.

Screenshots (if appropriate):

Not applicable.

How has this been tested?

Tested zizmor locally, tested new makefile targets.

Resources

https://docs.zizmor.sh/

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update (changes to documentation only)
  • Refactor / code style update (non-breaking change that improves code structure or readability)
  • Tests / CI improvement (adding or updating tests or CI configuration only)
  • Chore / maintenance (non-breaking change that does not affect functionality, such as updating dependencies or fixing typos)
  • Other (please describe):

Checklist

  • Followed the project's contributing guidelines.
  • Updated any relevant tests.
  • Updated any relevant documentation.
  • Added comments to your code where necessary.
  • Formatted your code, run the linters, checked types and tests.
  • Added your changes to the CHANGELOG file, if applicable.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces zizmor as an additional safety/linting tool for GitHub Actions workflows, wiring it into local tooling (uv dependency groups, Make targets, pre-commit) and CI, while also adjusting existing workflows to satisfy zizmor’s recommendations.

Changes:

  • Add zizmor==1.26.1 to the quality dependency group and lockfile.
  • Add a dedicated Zizmor GitHub Actions workflow that runs when workflow files change.
  • Integrate zizmor into developer workflows via pre-commit and make/make.bat targets, plus tighten permissions/credentials usage in existing workflows.

Reviewed changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
uv.lock Adds zizmor to the locked “quality” dependency group and records the resolved package.
pyproject.toml Adds zizmor to the quality dependency group with version pinning.
Makefile Adds zizmor-check target and runs zizmor as part of fix and check.
make.bat Adds Windows equivalents for zizmor-check and includes it in check flow.
.pre-commit-config.yaml Adds zizmor pre-commit hook for workflow linting.
.github/workflows/zizmor.yml New workflow to run zizmor on workflow changes.
.github/workflows/test.yml Adds concurrency; tightens checkout credentials; refactors python version usage.
.github/workflows/codeql.yml Adds top-level permissions/concurrency; disables persisted checkout credentials.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .pre-commit-config.yaml Outdated
Comment thread make.bat
Comment thread .github/workflows/codeql.yml Outdated
@codecov-commenter

codecov-commenter commented Jul 2, 2026

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (4477151) to head (9d4d8a9).
⚠️ Report is 1 commits behind head on master.
❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files
@@            Coverage Diff            @@
##            master      #215   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           13        13           
  Lines         1696      1696           
=========================================
  Hits          1696      1696           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@mdevolde mdevolde merged commit 75c7d1e into jxmorris12:master Jul 2, 2026
14 checks passed
@mdevolde mdevolde deleted the ci/zizmor branch July 2, 2026 19:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants