Files
2026-07-13 12:58:18 +08:00

80 lines
3.9 KiB
YAML

# zizmor configuration — static analysis for GitHub Actions workflows.
#
# Docs: https://docs.zizmor.sh/configuration/
#
# This file lives at `.github/zizmor.yml` because zizmor auto-discovers
# it there. The companion workflow at `.github/workflows/security_zizmor.yml`
# runs zizmor in CI and fails the build on findings at the configured level.
#
# When a finding genuinely cannot be remediated (e.g. the action behavior
# is correct but tripped a check), add it under `rules:` with a clear
# justification comment — never blanket-suppress.
rules:
# `template-injection` flags ${{ }} expansions that put untrusted input
# (issue titles, PR titles, branch names, comment bodies) directly into
# `run:` scripts. The fix is always to route through `env:` and reference
# the env var inside the shell. We treat any new occurrence as a blocker.
template-injection:
ignore: []
# `dangerous-triggers` flags `pull_request_target` and similar triggers
# that run with secrets against fork-controlled refs. Anything new must
# be reviewed by a maintainer.
#
# Suppressions below were each reviewed by a maintainer; new additions
# must come with a comment explaining why the workflow is safe.
dangerous-triggers:
ignore:
# update-branch.yml: pull_request_target gated on `types: [labeled]`
# with a maintainer-applied "update-branch" label. The workflow uses
# the base-repo checkout (not the PR head), so no fork-controlled
# code runs with the elevated token. This is the documented safe
# pattern for label-gated automation.
- update-branch.yml
# showcase_deploy.yml / showcase_capture-previews.yml: workflow_run
# triggered by the in-repo "Showcase: Build & Push" workflow. Only
# main-branch builds fire workflow_run, and the downstream workflows
# never check out PR-head code — they checkout the same trusted
# main-branch ref or use the head_branch of the triggering run
# (which is also main per the upstream filter).
- showcase_deploy.yml
- showcase_capture-previews.yml
# test_smoke-starter.yml: workflow_run triggered by the in-repo
# "publish / release" workflow. Listens to release completions; no
# fork-controlled refs reach this workflow.
- test_smoke-starter.yml
# `unpinned-uses` is satisfied because every `uses:` is SHA-pinned and
# Renovate keeps them current (see renovate.json → local>CopilotKit/renovate).
# `excessive-permissions` flags jobs that grant token scopes they don't
# need. We surface but don't auto-suppress — fixing requires per-job
# `permissions:` blocks that match the actual API calls in the job.
excessive-permissions:
ignore: []
# `artipacked` flags `actions/checkout` calls that leave the default
# GITHUB_TOKEN persisted in the local git config. Every other checkout
# in the repo sets `persist-credentials: false`. The suppressions below
# are the workflows that legitimately need the persisted token to push
# back to the repo (release tagging, docs sync, PR comment from
# pkg-pr-new). Each call site carries a `persist-credentials required:`
# comment immediately above it.
#
# static_quality.yml was removed: its format job now uses
# persist-credentials: false and injects credentials via insteadOf
# only before the push step.
artipacked:
ignore:
# Release workflows that push tags / branches via GITHUB_TOKEN.
# publish-release.yml is intentionally NOT suppressed: its build job
# now uses persist-credentials: false (the artifact it uploads would
# otherwise leak a workflow-scoped token through .git/config) and the
# publish job downloads the artifact and sets up its own git auth via
# `git config insteadOf`.
- prerelease.yml
# pkg-pr-new posts snapshot comments on the PR using the repo token
# — credentials must remain persisted for the action to authenticate.
- publish-commit.yml