# Configuration for the zizmor static analysis tool, run via pre-commit in CI
# https://docs.zizmor.sh/configuration/
#
# TODO: can we remove the ignores here so that our workflows are more secure?
rules:
  dangerous-triggers:
    ignore:
      - pr-comment.yaml
  cache-poisoning:
    ignore:
      - build-docker.yml
  excessive-permissions:
    # it's hard to test what the impact of removing these ignores would be
    # without actually running the release workflow...
    ignore:
      - build-docker.yml
      - publish-docs.yml
  secrets-inherit:
    # `cargo dist` makes extensive use of `secrets: inherit`,
    # and we can't easily fix that until an upstream release changes that.
    disable: true
  template-injection:
    ignore:
      # like with `secrets-inherit`, `cargo dist` introduces some
      # template injections. We've manually audited these usages for safety.
      - release.yml