From 4292320ee2bbf2b7d11092a350eca9602efcb246 Mon Sep 17 00:00:00 2001 From: Martin Costello Date: Fri, 19 Dec 2025 10:04:22 +0000 Subject: [PATCH 1/2] Bump zizmor to v1.19.0 Update to zizmor 1.19.0. --- .github/workflows/lint.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 9b5fcef5a9a..c55d11c85e2 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -27,7 +27,7 @@ jobs: POWERSHELL_YAML_VERSION: '0.4.12' PSSCRIPTANALYZER_VERSION: '1.24.0' TERM: xterm - ZIZMOR_VERSION: '1.13.0' + ZIZMOR_VERSION: '1.19.0' permissions: actions: read From a5a83fe2518eec18b9d785ddf26c293f4e5a9818 Mon Sep 17 00:00:00 2001 From: martincostello Date: Fri, 19 Dec 2025 10:13:49 +0000 Subject: [PATCH 2/2] Fix zizmor findings - Configure a 3-day cooldown for dependabot. - Suppress false positive. - Disable overly-paranoid concurrency rule. --- .github/dependabot.yml | 4 ++++ .github/workflows/ossf-scorecard.yml | 2 +- .github/zizmor.yml | 5 +++++ 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 90f77b8ca1c..87d403f820e 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -2,6 +2,8 @@ version: 2 updates: - package-ecosystem: "github-actions" directory: "/" + cooldown: + default-days: 3 schedule: interval: weekly day: thursday @@ -9,6 +11,8 @@ updates: timezone: "America/New_York" - package-ecosystem: nuget directory: "/" + cooldown: + default-days: 3 groups: polly: patterns: diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml index 2e2630c2bfc..42cdeb637f1 100644 --- a/.github/workflows/ossf-scorecard.yml +++ b/.github/workflows/ossf-scorecard.yml @@ -7,7 +7,7 @@ on: - cron: '0 8 * * MON' workflow_dispatch: -permissions: read-all +permissions: read-all # zizmor: ignore[excessive-permissions] Recommended permissions for OSSF Scorecard jobs: analysis: diff --git a/.github/zizmor.yml b/.github/zizmor.yml index ad6d7764821..0b48a089b11 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,5 +1,10 @@ rules: anonymous-definition: disable: true + concurrency-limits: + disable: true + dependabot-cooldown: + config: + days: 3 undocumented-permissions: disable: true