Skip to content

use zizmor to lint GitHub actions#22294

Merged
alice-i-cecile merged 2 commits intobevyengine:mainfrom
mockersf:linting-actions
Dec 30, 2025
Merged

use zizmor to lint GitHub actions#22294
alice-i-cecile merged 2 commits intobevyengine:mainfrom
mockersf:linting-actions

Conversation

@mockersf
Copy link
Copy Markdown
Member

@mockersf mockersf commented Dec 28, 2025

Objective

  • Improve security of Bevy CI

Solution

  • Use zizmor to lint actions https://github.com/zizmorcore/zizmor
  • Fix a few lints
    • pin actions
    • specify persist-credentials
    • set write permissions at job level instead of workflow level
    • set target branch for pull_request_target workflows
  • Add the linter as CI. With the proposed config, it should report potential issues in the security center and not block merging. There are still a few lints that fail and need more rework to fix

@mockersf mockersf added A-Build-System Related to build systems or continuous integration C-Code-Quality A section of code that is hard to understand or change labels Dec 28, 2025
@github-advanced-security
Copy link
Copy Markdown

github-advanced-security bot commented Dec 28, 2025

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@alice-i-cecile alice-i-cecile added the S-Needs-Review Needs reviewer attention (from anyone!) to move forward label Dec 29, 2025
BenjaminBrienen
BenjaminBrienen reviewed Dec 29, 2025
View reviewed changes
BenjaminBrienen
BenjaminBrienen reviewed Dec 29, 2025
View reviewed changes
LikeLakers2
LikeLakers2 reviewed Dec 29, 2025
View reviewed changes
@LikeLakers2
Copy link
Copy Markdown
Contributor

LikeLakers2 commented Dec 29, 2025
edited
Loading

@mockersf I'm not sure of the point of marking #22294 (review) as resolved? It clearly wasn't resolved...

@mockersf
Copy link
Copy Markdown
Member Author

mockersf commented Dec 29, 2025

It is for me

@alice-i-cecile alice-i-cecile added S-Ready-For-Final-Review This PR has been approved by the community. It's ready for a maintainer to consider merging it and removed S-Needs-Review Needs reviewer attention (from anyone!) to move forward labels Dec 29, 2025
@alice-i-cecile alice-i-cecile added this to the 0.19 milestone Dec 29, 2025
@alice-i-cecile alice-i-cecile added this pull request to the merge queue Dec 30, 2025
Merged via the queue into bevyengine:main with commit 9e8c600 Dec 30, 2025
47 checks passed
@mockersf
Copy link
Copy Markdown
Member Author

mockersf commented Feb 5, 2026

It's configured to not fail CI but to report issues in the security center in github

That's the recommended configuration, and it made sense at the time because we have a few unresolved issues and I didn't want to block CI on it

Not sure there's anyone else than me that looks at that tab though, and only maintainers have access to it I think

@BenjaminBrienen BenjaminBrienen mentioned this pull request Feb 5, 2026
Merged
github-merge-queue bot pushed a commit to wgsl-analyzer/wgsl-analyzer that referenced this pull request Feb 5, 2026
@BenjaminBrienen
use zizmor to lint GitHub actions (#843)
e4c56bb 
# Objective

Improve security of Bevy CI

# Solution
Use zizmor to lint actions https://github.com/zizmorcore/zizmor

- Fix a few lints
    - pin actions
    - specify persist-credentials
    - set write permissions at job level instead of workflow level
    - set target branch for pull_request_target workflows
- Add the linter as CI. With the proposed config, it should report
potential issues in the security center and not block merging.

Mostly stolen from bevyengine/bevy#22294
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@BD103 BD103 Awaiting requested review from BD103

3 more reviewers

@LikeLakers2 LikeLakers2 LikeLakers2 left review comments

@BenjaminBrienen BenjaminBrienen BenjaminBrienen approved these changes

@Firesz25 Firesz25 Firesz25 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

A-Build-System Related to build systems or continuous integration C-Code-Quality A section of code that is hard to understand or change S-Ready-For-Final-Review This PR has been approved by the community. It's ready for a maintainer to consider merging it

Projects

None yet

Milestone

0.19

Development

Successfully merging this pull request may close these issues.

6 participants

@mockersf @github-advanced-security @LikeLakers2 @BenjaminBrienen @Firesz25 @alice-i-cecile