Skip to content

fix: use zizmor-action with digest-pinned Docker images#21

Open
jdalton wants to merge 1 commit intomasterfrom
fix/allow-workflow-dispatch
Open

fix: use zizmor-action with digest-pinned Docker images#21
jdalton wants to merge 1 commit intomasterfrom
fix/allow-workflow-dispatch

Conversation

@jdalton
Copy link
Copy Markdown
Contributor

@jdalton jdalton commented Apr 7, 2026
edited
Loading

Summary

  • Replaces pip install zizmor==1.23.1 with the official zizmorcore/zizmor-action@v0.5.2 (pinned by SHA)
  • Uses digest-pinned Docker images for supply chain integrity
  • Disables SARIF upload (advanced-security: false) since this workflow lacks security-events: write permission
  • Verified: zizmor .github --min-severity medium passes clean

Test plan

  • Verify zizmor audit still runs on PRs

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Apr 7, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedzizmorcore/​zizmor-action@​71321a20a9ded102f6e9ce5718a2fcec2c4f70d810010090100100

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 7, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedzizmorcore/​zizmor-action@​71321a20a9ded102f6e9ce5718a2fcec2c4f70d810010090100100

View full report

@jdalton jdalton force-pushed the fix/allow-workflow-dispatch branch from 4cfec5c to dec4f6a Compare April 7, 2026 18:38
@jdalton jdalton changed the title fix: use zizmor-action with hash-checked images + add workflow_dispatch fix: use zizmor-action with hash-checked images Apr 7, 2026
@jdalton jdalton changed the title fix: use zizmor-action with hash-checked images fix: use zizmor-action with hash-checked Docker images Apr 7, 2026
@jdalton jdalton force-pushed the fix/allow-workflow-dispatch branch from dec4f6a to febaa1b Compare April 7, 2026 18:38
@jdalton jdalton changed the title fix: use zizmor-action with hash-checked Docker images fix: use zizmor-action with digest-pinned Docker images Apr 7, 2026
@jdalton jdalton force-pushed the fix/allow-workflow-dispatch branch from febaa1b to 927b542 Compare April 7, 2026 18:40
@jdalton jdalton requested a review from reberhardt7 April 7, 2026 19:45
@jdalton
fix: use zizmor-action with digest-pinned Docker images
4a3522e 
Replaces pip install with the official zizmorcore/zizmor-action
(SHA-pinned) which uses digest-pinned Docker images. Disables
SARIF upload since this workflow lacks security-events: write.
@jdalton jdalton force-pushed the fix/allow-workflow-dispatch branch from 927b542 to 4a3522e Compare April 7, 2026 22:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reberhardt7 reberhardt7 Awaiting requested review from reberhardt7

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdalton