Apply Zizmor#5079
Conversation
|
Hi Yannis, thanks for the patch. Could you please add more context about "Zizmor", providing more information for reviewers to make a decision? |
Sure, as per https://github.com/zizmorcore/zizmor: a static analysis tool for GitHub Actions. It can find many common security issues in typical GitHub Actions CI/CD setups. It may not be worth the time to review every warning emitted by zizmor, but I thought applying the easy ones would not hurt. And if we want to go beyond the auto-fixable issues, applying these first makes it simpler to review the non-auto ones in another PR. |
|
Yannis, Urvang: By searching for "actions/checkout" in the .github/ directory, I found that this pull request missed .github/workflows/pull_request.yaml and .github/workflows/nightly.yaml. I saw the following warning messages in the output of the zizmor command in the PR description: Should we change these two files manually (at least to add |
See https://github.com/zizmorcore/zizmor.
We pin GitHub Actions used in CI workflows to git hashes instead of version tags.
Similar change was also made to libavif's CI workflows in PR AOMediaCodec/libavif#1515 at the suggestion of Google's security team. The rationale is described in issue AOMediaCodec/libavif#1514.
zizmor --fix=all --gh-token=$(gh auth token) .github/workflowsoutput