ci: add zizmor checks to lint github actions workflows#215
Conversation
There was a problem hiding this comment.
Pull request overview
This PR introduces zizmor as an additional safety/linting tool for GitHub Actions workflows, wiring it into local tooling (uv dependency groups, Make targets, pre-commit) and CI, while also adjusting existing workflows to satisfy zizmor’s recommendations.
Changes:
- Add
zizmor==1.26.1to thequalitydependency group and lockfile. - Add a dedicated
ZizmorGitHub Actions workflow that runs when workflow files change. - Integrate zizmor into developer workflows via pre-commit and
make/make.battargets, plus tighten permissions/credentials usage in existing workflows.
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
uv.lock |
Adds zizmor to the locked “quality” dependency group and records the resolved package. |
pyproject.toml |
Adds zizmor to the quality dependency group with version pinning. |
Makefile |
Adds zizmor-check target and runs zizmor as part of fix and check. |
make.bat |
Adds Windows equivalents for zizmor-check and includes it in check flow. |
.pre-commit-config.yaml |
Adds zizmor pre-commit hook for workflow linting. |
.github/workflows/zizmor.yml |
New workflow to run zizmor on workflow changes. |
.github/workflows/test.yml |
Adds concurrency; tightens checkout credentials; refactors python version usage. |
.github/workflows/codeql.yml |
Adds top-level permissions/concurrency; disables persisted checkout credentials. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #215 +/- ##
=========================================
Coverage 100.00% 100.00%
=========================================
Files 13 13
Lines 1696 1696
=========================================
Hits 1696 1696 ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
ci: add zizmor checks to lint github actions workflows
Why the pull request was made
To ensure that our github actions workflows adopt good practices and are safe (important to manipulate secrets in a proper way, and reduce risks of supply chains attacks).
Summary of changes
pyproject.toml..github/workflows/*is modified.Screenshots (if appropriate):
Not applicable.
How has this been tested?
Tested zizmor locally, tested new makefile targets.
Resources
https://docs.zizmor.sh/
Types of changes
Checklist