Skip to content

ci: adjust zizmor advanced security handling#9

Merged
wochinge merged 1 commit into
mainfrom
codex/zizmor-fork-pr-blocks
May 21, 2026
Merged

ci: adjust zizmor advanced security handling#9
wochinge merged 1 commit into
mainfrom
codex/zizmor-fork-pr-blocks

Conversation

@wochinge
Copy link
Copy Markdown
Contributor

@wochinge wochinge commented May 21, 2026

What changed

  • Run zizmor-action with advanced-security: false for non-push events, including pull requests and merge queue runs.
  • Keep Advanced Security/SARIF uploads enabled on push events.
  • Set min-severity: low for the zizmor scan.

Why

Fork pull requests cannot upload code scanning results to GitHub Advanced Security, so requiring zizmor code scanning results blocks community PRs. This keeps the check usable for fork PRs while preserving SARIF upload on trusted pushes.

Validation

  • YAML parse check for .github/workflows/zizmor.yml
  • git diff --check -- .github/workflows/zizmor.yml

@wochinge wochinge marked this pull request as ready for review May 21, 2026 09:00
@wochinge wochinge requested a review from a team as a code owner May 21, 2026 09:00
@wochinge wochinge merged commit 5c0c635 into main May 21, 2026
3 checks passed
@wochinge wochinge deleted the codex/zizmor-fork-pr-blocks branch May 21, 2026 09:00
claude[bot]
claude Bot reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — small CI config tweak that enables zizmor scanning on fork PRs while preserving SARIF upload on trusted push events.

Extended reasoning...

Overview

This PR modifies a single file (.github/workflows/zizmor.yml). It removes the if: guard that skipped zizmor for fork PRs, and conditionally toggles advanced-security based on github.event_name == 'push'. It also sets min-severity: low.

Security risks

None apparent. The change actually broadens security scanning coverage by allowing zizmor to run on fork PRs (previously skipped entirely). Disabling advanced-security for non-push events is the documented workaround for the fact that fork PRs cannot upload SARIF to GitHub Advanced Security — this is a well-known constraint and the appropriate mitigation. Permissions block (permissions: {} at workflow level, security-events: write only at job level) is unchanged. persist-credentials: false on checkout is preserved.

Level of scrutiny

Low. This is a small, mechanical CI config change with clearly stated motivation. The conditional expression ${{ github.event_name == 'push' && 'true' || 'false' }} is a standard GitHub Actions ternary idiom that resolves to a string, which matches the action's advanced-security input type.

Other factors

No prior reviews or comments on this PR. Bug hunting system found no issues. The change is self-contained in a single workflow file and easy to revert if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wochinge