mirror of
https://github.com/astral-sh/ruff
synced 2026-01-20 21:10:48 -05:00
d45c1ee44f
## Summary This PR upgrades zizmor to the latest release in our CI. zizmor is a static analyzer checking for security issues in GitHub workflows. The new release finds some new issues in our workflows; this PR fixes some of the issues, and adds ignores for some other issues. The issues fixed in this PR are new cases of zizmor's [`template-injection`](https://woodruffw.github.io/zizmor/audits/#template-injection) rule being emitted. The issues I'm ignoring for now are all to do with the [`cache-poisoning`](https://woodruffw.github.io/zizmor/audits/#cache-poisoning) rule. The main reason I'm fixing some but ignoring others is that I'm confident fixing the template-injection diagnostics won't have any impact on how our workflows operate in CI, but I'm worried that fixing the cache-poisoning diagnostics could slow down our CI a fair bit. I don't mind if somebody else is motivated to try to fix these diagnostics, but for now I think I'd prefer to just ignore them; it doesn't seem high-priority enough to try to fix them right now :-) ## Test Plan - `uvx pre-commit run -a --hook-stage=manual` passes locally - Let's see if CI passes on this PR...
13 lines
362 B
YAML
13 lines
362 B
YAML
# Configuration for the zizmor static analysis tool, run via pre-commit in CI
|
|
# https://woodruffw.github.io/zizmor/configuration/
|
|
#
|
|
# TODO: can we remove the ignores here so that our workflows are more secure?
|
|
rules:
|
|
dangerous-triggers:
|
|
ignore:
|
|
- pr-comment.yaml
|
|
cache-poisoning:
|
|
ignore:
|
|
- build-docker.yml
|
|
- publish-playground.yml
|