Skip to content

Add zizmor for GitHub Actions security linting #1114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
adamtheturtle merged 3 commits into from
Dec 29, 2025
Merged

Add zizmor for GitHub Actions security linting #1114

adamtheturtle merged 3 commits into from
Dec 29, 2025

Conversation

@adamtheturtle
Copy link
Member

@adamtheturtle adamtheturtle commented Dec 29, 2025
edited by cursor bot
Loading

Add zizmor to dev dependencies and pre-commit config for GitHub Actions workflow security linting.

Changes

  • Add zizmor==1.19.0 to dev dependencies in pyproject.toml
  • Add zizmor pre-commit hook (runs on YAML files in .github directory)
  • Add zizmor to ci.skip list (where applicable)

Note

Introduces GitHub Actions security linting with zizmor and hardens workflow permissions.

  • Adds zizmor==1.19.0 to dev dependencies and a zizmor pre-commit hook (targets .github YAML); added to ci.skip
  • Adds zizmor.yml configuration disabling selected rules
  • Hardens workflows: sets permissions: {} in CI and uses actions/checkout with persist-credentials: false in CI and Release

Written by Cursor Bugbot for commit c06b487. This will update automatically on new commits. Configure here.

@adamtheturtle adamtheturtle enabled auto-merge (squash) December 29, 2025 13:13
@adamtheturtle adamtheturtle merged commit ee94a0f into main Dec 29, 2025
9 checks passed
@adamtheturtle adamtheturtle deleted the add-zizmor branch December 29, 2025 17:04
cursor[bot]
cursor bot reviewed Dec 29, 2025
View reviewed changes
.github/workflows/release.yml
steps:
- uses: actions/checkout@v6
with:
persist-credentials: false
Copy link

@cursor cursor bot Dec 29, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Setting persist-credentials false breaks git auto commit action

Adding persist-credentials: false to the checkout step will break the release workflow. The stefanzweifel/git-auto-commit-action@v7 used later (line 74) relies on git credentials being persisted in the local git config to push commits. When persist-credentials: false is set, the PAT token from the checkout step is not stored in git config, so the auto-commit action cannot authenticate and the push will fail. This is a documented incompatibility (git-auto-commit-action Discussion #356).

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@adamtheturtle