mirror of https://github.com/astral-sh/ruff
27 lines
907 B
YAML
27 lines
907 B
YAML
# Configuration for the zizmor static analysis tool, run via pre-commit in CI
|
|
# https://docs.zizmor.sh/configuration/
|
|
#
|
|
# TODO: can we remove the ignores here so that our workflows are more secure?
|
|
rules:
|
|
dangerous-triggers:
|
|
ignore:
|
|
- pr-comment.yaml
|
|
cache-poisoning:
|
|
ignore:
|
|
- build-docker.yml
|
|
excessive-permissions:
|
|
# it's hard to test what the impact of removing these ignores would be
|
|
# without actually running the release workflow...
|
|
ignore:
|
|
- build-docker.yml
|
|
- publish-docs.yml
|
|
secrets-inherit:
|
|
# `cargo dist` makes extensive use of `secrets: inherit`,
|
|
# and we can't easily fix that until an upstream release changes that.
|
|
disable: true
|
|
template-injection:
|
|
ignore:
|
|
# like with `secrets-inherit`, `cargo dist` introduces some
|
|
# template injections. We've manually audited these usages for safety.
|
|
- release.yml
|