Skip to content

DEVOPS-977: default zizmor config to allow MiraGeoscience unpinned actions#152

Merged
sebhmg merged 3 commits intomainfrom
DEVOPS-977-allow-mira-github-actions-tags
Apr 8, 2026
Merged

DEVOPS-977: default zizmor config to allow MiraGeoscience unpinned actions#152
sebhmg merged 3 commits intomainfrom
DEVOPS-977-allow-mira-github-actions-tags

Conversation

@andrewg-mira
Copy link
Copy Markdown
Contributor

@andrewg-mira andrewg-mira commented Feb 3, 2026
edited by sebhmg
Loading

DEVOPS-977 - Zizmor: Allow trusted tag-pinned github actions

@github-actions github-actions bot changed the title DEVOPS-977 default zizmor config to allow MiraGeoscience unpinned act… DEVOPS-977: default zizmor config to allow MiraGeoscience unpinned act… Feb 3, 2026
sebhmg
sebhmg reviewed Feb 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sebhmg sebhmg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see suggestion for merging config with existing zizmor file

@andrewg-mira andrewg-mira force-pushed the DEVOPS-977-allow-mira-github-actions-tags branch from db4880f to d4c4c18 Compare March 5, 2026 18:45
sebhmg
sebhmg previously approved these changes Mar 10, 2026
View reviewed changes
@sebhmg sebhmg changed the title DEVOPS-977: default zizmor config to allow MiraGeoscience unpinned act… DEVOPS-977: default zizmor config to allow MiraGeoscience unpinned actions Mar 10, 2026
Copilot AI review requested due to automatic review settings March 16, 2026 16:12
Copilot AI reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the reusable Zizmor workflows and the Zizmor config setup action so CI can allow trusted, tag-pinned MiraGeoscience GitHub Actions while still running Zizmor scans.

Changes:

  • Bump setup-zizmor-config action reference in reusable Zizmor workflows from v2 to v3.1.
  • Change the setup-zizmor-config composite action to create/patch zizmor.yml via yq.
  • Add an unpinned-uses policy for MiraGeoscience/* with ref-pin in the generated/updated config.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 5 comments.

File Description
.github/workflows/reusable-zizmor-security.yml Updates the setup-zizmor-config action ref to v3.1 before running Zizmor.
.github/workflows/reusable-zizmor-annotate.yml Updates the setup-zizmor-config action ref to v3.1 before running Zizmor with annotations.
.github/actions/setup-zizmor-config/action.yml Switches from creating a static config to patching/merging config via yq, adding the new policy.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

.github/actions/setup-zizmor-config/action.yml
Comment on lines +15 to +16
# Patch (merge) with extra config
echo "Patching zizmor.yml configuration file for CI..."
Copy link
Copy Markdown
Contributor

@sebhmg sebhmg Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: just change description to

Ensures zizmor.yml exists and patches CI-specific Zizmor rules

.github/workflows/reusable-zizmor-security.yml
Comment on lines 37 to 39
- name: Setup Zizmor Config
uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v2
uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v3.1

Copy link
Copy Markdown
Contributor

@sebhmg sebhmg Mar 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

suggestion: tag v3.1 and move all actions to use v3.1 instead of v2

.github/workflows/reusable-zizmor-annotate.yml
Comment on lines 38 to 40
- name: Setup Zizmor Config
uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v2
uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v3.1

sebhmg
sebhmg requested changes Mar 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sebhmg sebhmg left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see my suggestions as replies to copilot

(note tag v3.1 does not exist anymore and must be re-created)

sebhmg
sebhmg approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@sebhmg sebhmg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All required checks passed. Approving for merge.

@sebhmg sebhmg merged commit 3685fa6 into main Apr 8, 2026
10 checks passed
@sebhmg sebhmg deleted the DEVOPS-977-allow-mira-github-actions-tags branch April 8, 2026 17:29
@sebhmg
Copy link
Copy Markdown
Contributor

sebhmg commented Apr 9, 2026

wrong PR. Reverted and forced pushed main, and merging #161 instead

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@sebhmg sebhmg sebhmg approved these changes

Assignees

@andrewg-mira andrewg-mira

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@andrewg-mira @sebhmg