Configure Zizmor to allow unpinned actions in actions/* namespace #3646
Conversation
Applied automatic fix from zizmor to add cooldown configuration to dependabot.yml. This addresses the dependabot-cooldown warning that zizmor reported. Co-authored-by: Nateowami <6140710+Nateowami@users.noreply.github.com>
|
@copilot Can you configure Zizmor to not care about pinning actions in the actions/ namespace? Also, can you explain what the cooldown actually does? Can you link to the exact documentation? |
Added .zizmor.yml configuration file to exclude actions in the actions/* namespace from requiring hash pins. This reduces noise from official GitHub actions while still enforcing strict pinning for third-party actions. Updated the zizmor workflow to use this configuration file. Co-authored-by: Nateowami <6140710+Nateowami@users.noreply.github.com>
Configured zizmor to allow any reference type for The cooldown configuration sets a minimum age for dependency updates. With Documentation: https://docs.github.com/en/code-security/reference/supply-chain-security/dependabot-options-reference#cooldown Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3646 +/- ##
=======================================
Coverage 83.52% 83.52%
=======================================
Files 610 610
Lines 37512 37512
Branches 6172 6148 -24
=======================================
Hits 31332 31332
- Misses 5226 5239 +13
+ Partials 954 941 -13 ☔ View full report in Codecov by Sentry. |
|
@copilot Can you break the two changes into two PRs? If you can't, please just keep the changes for allowing unpinned actions. Also update the PR title |
Removed the dependabot cooldown configuration to keep only the zizmor policy changes as requested. The PR now only contains changes to allow unpinned actions in the actions/* namespace. Co-authored-by: Nateowami <6140710+Nateowami@users.noreply.github.com>
I cannot create separate PRs, but I've removed the Dependabot cooldown changes in commit 1584b5a. The PR now only contains the zizmor configuration changes to allow unpinned actions in the The PR title has been updated to "Configure zizmor to allow unpinned actions in actions/* namespace". |
Nateowami
left a comment
Nateowami
left a comment
There was a problem hiding this comment.
@Nateowami reviewed 2 files and all commit messages, and made 1 comment.
Reviewable status:complete! all files reviewed, all discussions resolved (waiting on @copilot[bot]).
|
This is intended to fix the 99 or so zizmor errors on master. |
Nateowami
changed the title
Configured zizmor to use a practical policy for action pinning in GitHub Actions workflows, allowing unpinned actions in the
actions/*namespace.Changes
.zizmor.yml: Created configuration file to allow any reference type (tags, branches) for actions in theactions/*namespace while enforcing hash pinning for third-party actions. This reduces noise from official GitHub actions while maintaining security for untrusted actions..github/workflows/zizmor.yml: Updated to use the new configuration file when running zizmor analysis.Impact
High severity findings reduced from 68 to 17. Only third-party actions now require hash pins, while official GitHub actions (like
actions/checkout@v5) can use tag references.Original prompt
💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.
This change is