Skip to content

fix: upgrade upload-pages-artifact to v4 and add zizmor workflow linting #299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Aureliolo merged 3 commits into from
Mar 11, 2026
Merged

fix: upgrade upload-pages-artifact to v4 and add zizmor workflow linting #299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b24e358
fix: upgrade upload-pages-artifact to v4 and add zizmor workflow linting
Aureliolo Mar 11, 2026
43cc6ff
fix: add explicit failure on release retry exhaustion
Aureliolo Mar 11, 2026
5bf6876
fix: address PR review findings from local agents, CodeRabbit, and Co…
Aureliolo Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -296,13 +296,19 @@ jobs:

# Bounded retry — Release Please may still be creating the release
EXISTING=""
FOUND=0
for i in $(seq 1 6); do
if EXISTING=$(gh release view "$TAG" --json body -q '.body // ""' 2>/dev/null); then
FOUND=1
break
fi
echo "Release '$TAG' not available yet (attempt $i/6), retrying in 10s..."
sleep 10
done
if [ "$FOUND" -ne 1 ]; then
echo "::error::GitHub release '$TAG' not available after 6 attempts"
exit 1
fi

IMAGES=$(cat <<'BLOCK'

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ jobs:
# MkDocs output is already at _site/docs/ from the build step

- name: Upload Pages artifact
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4
with:
path: _site

Expand Down
32 changes: 32 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Workflow Security

on:
push:
branches: [main]
paths:
- ".github/workflows/**"
pull_request:
branches: [main]
paths:
- ".github/workflows/**"
workflow_dispatch:

permissions: {}

jobs:
zizmor:
name: zizmor
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
Comment on lines +8 to +23
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pull_request workflows triggered from forks will receive a read-only GITHUB_TOKEN, so security-events: write (and SARIF upload) will fail in that context. Consider limiting SARIF upload to push on main (or gating the upload step on github.event_name == 'push') while still running the analysis on PRs, so external PRs don't fail spuriously.

Copilot uses AI. Check for mistakes.
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
Comment on lines +29 to +30
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify SHA 71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is tagged as v0.5.2
gh api repos/zizmorcore/zizmor-action/git/ref/tags/v0.5.2 --jq '.object.sha'

Repository: Aureliolo/synthorg

Length of output: 222

🏁 Script executed:

cat -n .github/workflows/zizmor.yml

Repository: Aureliolo/synthorg

Length of output: 862

🌐 Web query:

zizmor-action v0.5.2 release SHA 71321a20a9ded102f6e9ce5718a2fcec2c4f70d8

💡 Result:

71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is the commit that the zizmorcore/zizmor-action v0.5.2 release/tag points to (short SHA 71321a2). [1]

That commit is titled “Sync zizmor versions (#96)” and updates the action’s bundled/“latest” zizmor version to 1.23.1. [1][2]

SHA is correctly pinned to v0.5.2; consider adding workflow_dispatch for manual security scans.

The SHA-pinned action reference correctly follows repository conventions. Adding workflow_dispatch trigger would enable manual runs when needed (e.g., after zizmor rule updates), since the workflow currently only runs on workflow file changes.

💡 Optional: Add workflow_dispatch trigger 
 on:
   push:
     branches: [main]
     paths:
       - ".github/workflows/**"
   pull_request:
     branches: [main]
     paths:
       - ".github/workflows/**"
+  workflow_dispatch:
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/zizmor.yml around lines 28 - 29, Add a manual trigger to
the CI by adding a workflow_dispatch event to the zizmor workflow so it can be
run on-demand; update the triggers section in .github/workflows/zizmor.yml
(where the existing event configuration for the zizmor job and the use of the
action zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is
defined) to include workflow_dispatch alongside the current triggers.

Comment on lines +29 to +30
Copy link

Copilot AI Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions uploading SARIF to the Security tab, but this workflow doesn't show any explicit SARIF upload step or inputs enabling upload; it relies on zizmorcore/zizmor-action defaults. To avoid silent drift if the action defaults change, consider making the SARIF upload behavior explicit (via documented with: options and/or a dedicated upload step).

Copilot uses AI. Check for mistakes.
with:
advanced-security: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
1 change: 1 addition & 0 deletions CLAUDE.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -179,6 +179,7 @@ src/ai_company/
- **Secret scanning**: gitleaks workflow on push/PR + weekly schedule
- **Dependency review**: license allow-list (permissive only), PR comment summaries
- **Coverage**: Codecov integration (replaces artifact-only uploads)
- **Workflow security**: `.github/workflows/zizmor.yml` — zizmor static analysis of GitHub Actions workflows on push to main and PRs (triggers only when workflow files change), SARIF upload to Security tab on push events only (fork PRs lack `security-events: write`)
- **Release**: `.github/workflows/release.yml` — Release Please (Google) auto-creates a release PR on every push to main. Merging the release PR creates a git tag (`vX.Y.Z`) + GitHub Release with changelog. Tag push triggers the Docker workflow to build version-tagged images. Uses `RELEASE_PLEASE_TOKEN` secret (PAT/GitHub App token) so tag creation triggers downstream workflows (GITHUB_TOKEN cannot). Config in `.github/release-please-config.json` and `.github/.release-please-manifest.json`.

## Dependencies
Expand Down
3 changes: 2 additions & 1 deletion DESIGN_SPEC.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3262,7 +3262,8 @@ synthorg/
│ │ ├── dependency-review.yml # License allow-list on PRs
│ │ ├── release.yml # Release Please (automated versioning + GitHub Releases)
│ │ ├── secret-scan.yml # Gitleaks on push/PR + weekly
│ │ └── pages.yml # Build Astro + MkDocs → deploy GitHub Pages
│ │ ├── pages.yml # Build Astro + MkDocs → deploy GitHub Pages
│ │ └── zizmor.yml # Workflow security analysis (zizmor)
│ ├── actions/
│ │ └── setup-python-uv/ # Composite action: Python + uv install
│ ├── dependabot.yml # uv + github-actions + docker updates
Expand Down
Loading