Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Start linting with Zizmor #548

Merged
merged 2 commits into from
Feb 18, 2025
Merged

Start linting with Zizmor #548

merged 2 commits into from
Feb 18, 2025

Conversation

jku
Copy link
Member

@jku jku commented Feb 17, 2025
edited
Loading

actions: Start linting with zizmor

Both actions and workflows get linted at the same time.

  • Added lint workflow: this did not quite fit in the existing test matrix since it needs GH_TOKEN (and because the dependencies are tracked separately) so I added a separate workflow
  • Locally tox -e lint-actions works (and is included in tox -m lint) although these miss a few checks because github token is not available
  • A few issues in both workflows and actions found by zizmor are fixed as well
INFO audit: zizmor: 🌈 completed .github/workflows/actions-lint.yml
INFO audit: zizmor: 🌈 completed .github/workflows/ci.yml
INFO audit: zizmor: 🌈 completed .github/workflows/release.yml
INFO audit: zizmor: 🌈 completed .github/workflows/update-pinned-deps.yml
INFO audit: zizmor: 🌈 completed actions/signing-event/action.yml
INFO audit: zizmor: 🌈 completed actions/create-signing-events/action.yml
INFO audit: zizmor: 🌈 completed actions/online-sign/action.yml
INFO audit: zizmor: 🌈 completed actions/online-sign-targets/action.yml
INFO audit: zizmor: 🌈 completed actions/upload-repository/action.yml
INFO audit: zizmor: 🌈 completed actions/update-issue/action.yml
INFO audit: zizmor: 🌈 completed actions/test-repository/action.yml
No findings to report. Good job!

@jku
actions: Avoid variable substitution
d48c4d1 
This case is harmless but still makes sense to avoid bad habits.
@jku jku changed the title Zizmor Start linting with Zizmor Feb 17, 2025
@jku jku marked this pull request as ready for review February 17, 2025 17:52
@jku jku requested a review from kommendorkapten as a code owner February 17, 2025 17:52
@jku
actions: Start linting with zizmor
e512bf2 
Both actions and workflows get checked at the same time.

* Add lint workflow: this did not quite fit in the normal test matrix
  since it needs GH_TOKEN (and because the dependencies are tracked
  separately) so I added a separate workflow
* "tox -e lint-actions" works too (and this is included in "tox -m lint")
  although these miss a few checks because github token is not available
* A few workflow issues found by zizmor are fixed as well
@jku jku merged commit 15da160 into theupdateframework:main Feb 18, 2025
12 checks passed
@jku jku mentioned this pull request Feb 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kommendorkapten kommendorkapten kommendorkapten approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@jku @kommendorkapten