Skip to content
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .github/workflows/docker.yml
Original file line number Diff line number Diff line change
Expand Up @@ -296,13 +296,19 @@ jobs:

# Bounded retry — Release Please may still be creating the release
EXISTING=""
FOUND=0
for i in $(seq 1 6); do
if EXISTING=$(gh release view "$TAG" --json body -q '.body // ""' 2>/dev/null); then
FOUND=1
break
fi
echo "Release '$TAG' not available yet (attempt $i/6), retrying in 10s..."
sleep 10
done
if [ "$FOUND" -ne 1 ]; then
echo "::error::GitHub release '$TAG' not available after 6 attempts"
exit 1
fi

IMAGES=$(cat <<'BLOCK'

Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/pages.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ jobs:
# MkDocs output is already at _site/docs/ from the build step

- name: Upload Pages artifact
uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b # v4
with:
path: _site

Expand Down
29 changes: 29 additions & 0 deletions .github/workflows/zizmor.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Workflow Security

on:
push:
branches: [main]
paths:
- ".github/workflows/**"
pull_request:
branches: [main]
paths:
- ".github/workflows/**"

permissions: {}

jobs:
zizmor:
name: zizmor
runs-on: ubuntu-latest
permissions:
security-events: write
contents: read
actions: read
Comment on lines +8 to +23

Copilot AI Mar 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pull_request workflows triggered from forks will receive a read-only GITHUB_TOKEN, so security-events: write (and SARIF upload) will fail in that context. Consider limiting SARIF upload to push on main (or gating the upload step on github.event_name == 'push') while still running the analysis on PRs, so external PRs don't fail spuriously.

Copilot uses AI. Check for mistakes.
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Run zizmor
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
Comment on lines +29 to +30

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify SHA 71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is tagged as v0.5.2
gh api repos/zizmorcore/zizmor-action/git/ref/tags/v0.5.2 --jq '.object.sha'

Repository: Aureliolo/synthorg

Length of output: 222


🏁 Script executed:

cat -n .github/workflows/zizmor.yml

Repository: Aureliolo/synthorg

Length of output: 862


🌐 Web query:

zizmor-action v0.5.2 release SHA 71321a20a9ded102f6e9ce5718a2fcec2c4f70d8

💡 Result:

71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is the commit that the zizmorcore/zizmor-action v0.5.2 release/tag points to (short SHA 71321a2). [1]

That commit is titled “Sync zizmor versions (#96)” and updates the action’s bundled/“latest” zizmor version to 1.23.1. [1][2]


SHA is correctly pinned to v0.5.2; consider adding workflow_dispatch for manual security scans.

The SHA-pinned action reference correctly follows repository conventions. Adding workflow_dispatch trigger would enable manual runs when needed (e.g., after zizmor rule updates), since the workflow currently only runs on workflow file changes.

💡 Optional: Add workflow_dispatch trigger
 on:
   push:
     branches: [main]
     paths:
       - ".github/workflows/**"
   pull_request:
     branches: [main]
     paths:
       - ".github/workflows/**"
+  workflow_dispatch:
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/zizmor.yml around lines 28 - 29, Add a manual trigger to
the CI by adding a workflow_dispatch event to the zizmor workflow so it can be
run on-demand; update the triggers section in .github/workflows/zizmor.yml
(where the existing event configuration for the zizmor job and the use of the
action zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 is
defined) to include workflow_dispatch alongside the current triggers.

Comment on lines +29 to +30

Copilot AI Mar 11, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR description mentions uploading SARIF to the Security tab, but this workflow doesn't show any explicit SARIF upload step or inputs enabling upload; it relies on zizmorcore/zizmor-action defaults. To avoid silent drift if the action defaults change, consider making the SARIF upload behavior explicit (via documented with: options and/or a dedicated upload step).

Copilot uses AI. Check for mistakes.
Loading