From 605fb1f107849b74044689a8b7388869d5023895 Mon Sep 17 00:00:00 2001 From: Robert Fink Date: Fri, 5 Jun 2026 16:02:59 -0500 Subject: [PATCH 1/2] run zizmor with uvx --- .github/workflows/zizmor_sarif.yml | 10 +--------- zizmor.yml | 6 ++++++ 2 files changed, 7 insertions(+), 9 deletions(-) create mode 100644 zizmor.yml diff --git a/.github/workflows/zizmor_sarif.yml b/.github/workflows/zizmor_sarif.yml index 405dfd3..2e857bf 100644 --- a/.github/workflows/zizmor_sarif.yml +++ b/.github/workflows/zizmor_sarif.yml @@ -25,16 +25,8 @@ jobs: - name: Checkout repository uses: actions/checkout@v4 - - name: Install Rust and zizmor - run: | - curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y - source ~/.cargo/env - cargo install zizmor - - name: Run zizmor security scan - run: | - source ~/.cargo/env - zizmor --persona=pedantic --min-severity=medium --min-confidence=medium --format=sarif .github/workflows/ > zizmor.sarif + run: uvx zizmor --persona=pedantic --min-severity=medium --min-confidence=medium --format=sarif .github/workflows/ > zizmor.sarif continue-on-error: true - name: Upload SARIF results to GitHub diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 0000000..4241b39 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,6 @@ +rules: + unpinned-uses: + config: + policies: + actions/*: ref-pin + github/*: ref-pin From d5bb18e9c43d87711fdfa849aeeb9f034ee4dc3f Mon Sep 17 00:00:00 2001 From: Robert Fink Date: Fri, 5 Jun 2026 16:35:33 -0500 Subject: [PATCH 2/2] get rid of sarif --- .../{zizmor_sarif.yml => zizmor.yml} | 9 +------ zizmor.sarif | 24 ------------------- 2 files changed, 1 insertion(+), 32 deletions(-) rename .github/workflows/{zizmor_sarif.yml => zizmor.yml} (68%) delete mode 100644 zizmor.sarif diff --git a/.github/workflows/zizmor_sarif.yml b/.github/workflows/zizmor.yml similarity index 68% rename from .github/workflows/zizmor_sarif.yml rename to .github/workflows/zizmor.yml index 2e857bf..e7b60b2 100644 --- a/.github/workflows/zizmor_sarif.yml +++ b/.github/workflows/zizmor.yml @@ -26,12 +26,5 @@ jobs: uses: actions/checkout@v4 - name: Run zizmor security scan - run: uvx zizmor --persona=pedantic --min-severity=medium --min-confidence=medium --format=sarif .github/workflows/ > zizmor.sarif + run: uvx zizmor --persona=pedantic --min-severity=medium --min-confidence=medium --format=github .github/workflows/ continue-on-error: true - - - name: Upload SARIF results to GitHub - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: zizmor.sarif - category: zizmor - if: always() diff --git a/zizmor.sarif b/zizmor.sarif deleted file mode 100644 index a21b6ca..0000000 --- a/zizmor.sarif +++ /dev/null @@ -1,24 +0,0 @@ -{ - "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json", - "runs": [ - { - "invocations": [ - { - "executionSuccessful": true - } - ], - "results": [], - "tool": { - "driver": { - "downloadUri": "https://github.com/zizmorcore/zizmor", - "informationUri": "https://docs.zizmor.sh", - "name": "zizmor", - "rules": [], - "semanticVersion": "1.8.0", - "version": "1.8.0" - } - } - } - ], - "version": "2.1.0" -} \ No newline at end of file