Merge pull request #156 from crazy-max/zizmor-reuse

tonistiigi · web-flow · commit 2497a7d1e7d8 · 2026-04-01T12:08:29.000-07:00
ci: switch to reusable workflow to run zizmor
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,7 +4,13 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
     open-pull-requests-limit: 10
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
     labels:
       - "area/dependencies"
       - "bot"
diff --git a/.github/workflows/.pr-assign-author.yml b/.github/workflows/.pr-assign-author.yml
@@ -1,6 +1,5 @@
 name: .pr-assign-author
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
@@ -11,41 +10,8 @@ on:
       - reopened
 
 jobs:
-  assign-author:
-    runs-on: ubuntu-24.04
+  run:
+    uses: crazy-max/.github/.github/workflows/pr-assign-author.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
     permissions:
       contents: read
       pull-requests: write
-    steps:
-      -
-        name: Assigning author to PR
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
-        with:
-          script: |
-            try {
-              const dt = context.payload?.pull_request;
-              if (!dt) {
-                throw new Error(`No pull request payload found, skipping.`);
-              }
-            
-              const { assignees, number, user: { login: author, type } } = dt;
-              if (assignees.length > 0) {
-                throw new Error(`Pull request is already assigned to someone, skipping.`);
-              } else if (type !== 'User') {
-                throw new Error(`Not a user, skipping.`);
-              }
-            
-              const respAdd = await github.rest.issues.addAssignees({
-                ...context.repo,
-                issue_number: number,
-                assignees: [author]
-              });
-              core.debug(`addAssignees resp: ${JSON.stringify(respAdd, null, 2)}`);
-              if (respAdd.status !== 201) {
-                throw new Error(`Failed to assign @${author} to the pull request #${number}.`);
-              }
-            
-              core.info(`@${author} has been assigned to the pull request #${number}`);
-            } catch (e) {
-              core.warning(e.message);
-            }
diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml
@@ -1,6 +1,5 @@
 name: .test-bake
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml
@@ -1,6 +1,5 @@
 name: .test-build
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml
@@ -1,6 +1,5 @@
 name: .zizmor
 
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions
 permissions:
   contents: read
 
@@ -16,50 +15,13 @@ on:
       - 'releases/v*'
   pull_request:
 
-env:
-  ZIZMOR_VERSION: 1.22.0 # https://github.com/zizmorcore/zizmor
-
 jobs:
   zizmor:
-    runs-on: ubuntu-24.04
+    uses: crazy-max/.github/.github/workflows/zizmor.yml@bb328ea508cd6a89d0865555ddbeb148e5724aed # v1.3.0
     permissions:
       contents: read
       security-events: write
-    env:
-      TMPDIR: /tmp/zizmor
-    steps:
-      -
-        name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-      -
-        name: Setup uv
-        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7.6.0
-        with:
-          enable-cache: false
-      -
-        name: Install zizmor
-        run: |
-          set -ex
-          uv tool install zizmor@${ZIZMOR_VERSION}
-      -
-        name: Run zizmor
-        id: zizmor
-        run: |
-          mkdir -p ${TMPDIR}
-          set -ex
-          zizmor --min-severity=medium --min-confidence=medium --persona=pedantic --no-online-audits --format=sarif . > ${TMPDIR}/zizmor.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Zizmor crash report
-        if: ${{ failure() && steps.zizmor.conclusion == 'failure' }}
-        run: |
-          cat ${TMPDIR}/report-*.toml
-      -
-        name: Upload SARIF report
-        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4.35.1
-        with:
-          sarif_file: ${{ env.TMPDIR }}/zizmor.sarif
-          category: zizmor
+    with:
+      min-severity: medium
+      min-confidence: medium
+      persona: pedantic
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -7,3 +7,7 @@ rules:
       - bake.yml
       - build.yml
       - verify.yml
+
+  # FIXME: remove this rule when zizmor 1.24.0 is released, fixing the right persona attached to this rule: https://github.com/zizmorcore/zizmor/pull/1783
+  secrets-outside-env:
+    disable: true
