name: zizmor # Always runs on PRs so the "Require code scanning results" ruleset rule # always has a SARIF to inspect. Real analysis only runs when workflow files # changed; otherwise we upload an empty SARIF so locale-only / code-only PRs # aren't blocked waiting for a check that never reports. on: push: branches: [main] pull_request: branches: [main] permissions: {} jobs: zizmor: name: Run zizmor runs-on: ubuntu-latest permissions: security-events: write # upload SARIF to code scanning contents: read actions: read pull-requests: read # dorny/paths-filter calls the PRs API on pull_request events steps: - name: Checkout uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 with: persist-credentials: false - name: Detect workflow changes id: changes if: github.event_name == 'pull_request' uses: dorny/paths-filter@7b450fff21473bca461d4b92ce414b9d0420d706 # v4.0.2 with: filters: | workflows: - '.github/workflows/**' - '.github/actions/**' - '.github/zizmor.yml' - name: Decide whether to analyze id: decide env: EVENT_NAME: ${{ github.event_name }} CHANGED: ${{ steps.changes.outputs.workflows }} run: | if [ "$EVENT_NAME" != "pull_request" ] || [ "$CHANGED" = "true" ]; then echo "analyze=true" >> "$GITHUB_OUTPUT" else echo "analyze=false" >> "$GITHUB_OUTPUT" fi - name: Run zizmor if: steps.decide.outputs.analyze == 'true' uses: zizmorcore/zizmor-action@192e21d79ab29983730a13d1382995c2307fbcaa # v0.5.7 with: # Pin the tool version (the action defaults to `latest`) so a new # zizmor release can't surface findings that block unrelated PRs. version: "1.26.1" # When skipped, upload an empty SARIF so the ruleset rule passes. - name: Write empty SARIF if: steps.decide.outputs.analyze != 'true' run: | cat > zizmor.sarif <<'EOF' { "version": "2.1.0", "$schema": "https://json.schemastore.org/sarif-2.1.0.json", "runs": [ { "tool": { "driver": { "name": "zizmor", "semanticVersion": "0.0.0", "rules": [] } }, "results": [], "automationDetails": { "id": "zizmor/" } } ] } EOF - name: Upload empty SARIF if: steps.decide.outputs.analyze != 'true' uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2 with: sarif_file: zizmor.sarif category: zizmor