Skip to content

[Backport release-25.05] ci: add zizmor check and configuration#456116

Merged
wolfgangwalther merged 2 commits intorelease-25.05from
backport-396451-to-release-25.05
Oct 27, 2025
Merged

[Backport release-25.05] ci: add zizmor check and configuration#456116
wolfgangwalther merged 2 commits intorelease-25.05from
backport-396451-to-release-25.05

Conversation

@nixpkgs-ci
Copy link
Copy Markdown
Contributor

@nixpkgs-ci nixpkgs-ci bot commented Oct 27, 2025

Bot-based backport to release-25.05, triggered by a label in #396451.

  • Before merging, ensure that this backport is acceptable for the release.
    • Even as a non-committer, if you find that it is not acceptable, leave a comment.

winterqt and others added 2 commits October 27, 2025 08:09
@winterqt @LeSuisse @github-actions
ci: fix issues found by zizmor
b657e08 
Co-authored-by: Thomas Gerbet <thomas@gerbet.me>
(cherry picked from commit 65bb095)
@winterqt @LeSuisse @github-actions
ci: add zizmor check and configuration
2dde412 
`zizmor` is a tool that uses static analysis to find potential security
issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub
made a CI system so complicated that tools like this were created, but
I digress.)

Given our increase in GHA usage recently, I think this is a good step
towards keeping our security posture in tip-top shape. (It also keeps
with the theme of automating as many things as possible!)

The rule related to the usages of dangerous-triggers have been disabled
to avoid false-positives. Explanations about the usage of
`pull_request_target` and expectations around its usage can be found in
`.github/workflows/README.md`.

[0]: https://woodruffw.github.io/zizmor/

Co-authored-by: Thomas Gerbet <thomas@gerbet.me>
(cherry picked from commit 1a98671)
@nixpkgs-ci nixpkgs-ci bot mentioned this pull request Oct 27, 2025
Merged
13 tasks
@nixpkgs-ci nixpkgs-ci bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux. 6.topic: continuous integration Affects continuous integration (CI) in Nixpkgs, including Ofborg and GitHub Actions 4.workflow: backport This targets a stable branch 6.topic: policy discussion Discuss policies to work in and around Nixpkgs labels Oct 27, 2025
@wolfgangwalther wolfgangwalther added this pull request to the merge queue Oct 27, 2025
@nixpkgs-ci nixpkgs-ci bot added the 9.needs: reviewer This PR currently has no reviewers requested and needs attention. label Oct 27, 2025
Merged via the queue into release-25.05 with commit 6c9b143 Oct 27, 2025
64 of 67 checks passed
@wolfgangwalther wolfgangwalther deleted the backport-396451-to-release-25.05 branch October 27, 2025 08:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@philiptaron philiptaron Awaiting requested review from philiptaron

@Mic92 Mic92 Awaiting requested review from Mic92

@MattSturgeon MattSturgeon Awaiting requested review from MattSturgeon

@zowoq zowoq Awaiting requested review from zowoq

@wolfgangwalther wolfgangwalther Awaiting requested review from wolfgangwalther

Assignees

No one assigned

Labels

4.workflow: backport This targets a stable branch 6.topic: continuous integration Affects continuous integration (CI) in Nixpkgs, including Ofborg and GitHub Actions 6.topic: policy discussion Discuss policies to work in and around Nixpkgs 9.needs: reviewer This PR currently has no reviewers requested and needs attention. 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin. 10.rebuild-linux: 0 This PR does not cause any packages to rebuild on Linux.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wolfgangwalther @winterqt