b3a7f98e5a
CI / E2E Cloudflare (4/8) (push) Failing after 0s
CI / E2E Cloudflare (8/8) (push) Failing after 1s
CI / Lint (push) Failing after 1s
Auto Extract / Extract (push) Failing after 4s
CI / Version Check (push) Failing after 9s
CI / Integration Tests (push) Failing after 1s
CI / E2E tests (1/8) (push) Failing after 1s
CI / E2E tests (2/8) (push) Failing after 2s
CI / E2E tests (3/8) (push) Failing after 2s
CI / Browser Tests (push) Failing after 1s
CI / E2E tests (5/8) (push) Failing after 1s
CI / E2E Cloudflare (2/8) (push) Failing after 2s
CI / Typecheck (push) Failing after 1s
CI / Changeset Validation (push) Failing after 2s
CI / E2E Cloudflare (5/8) (push) Failing after 1s
CI / E2E Cloudflare (6/8) (push) Failing after 1s
CI / E2E Cloudflare (7/8) (push) Failing after 1s
CodeQL / Analyze (javascript-typescript) (push) Failing after 1s
Format / Format (push) Failing after 0s
CodeQL / Analyze (actions) (push) Failing after 4s
CI / E2E tests (4/8) (push) Failing after 1s
CI / E2E tests (6/8) (push) Failing after 1s
CI / E2E tests (7/8) (push) Failing after 2s
CI / E2E tests (8/8) (push) Failing after 1s
CI / E2E Cloudflare (1/8) (push) Failing after 1s
CI / E2E Cloudflare (3/8) (push) Failing after 2s
Preview Releases / Publish Preview (push) Failing after 0s
zizmor / Run zizmor (push) Failing after 1s
Release / Release (push) Failing after 2s
CI / Smoke Tests (push) Failing after 5m36s
CI / Tests (push) Failing after 6m36s
Release / Sync Templates (push) Has been skipped
CI / E2E Tests (push) Has been cancelled
76 lines
3.6 KiB
YAML
76 lines
3.6 KiB
YAML
# Configuration for zizmor (static analysis for GitHub Actions).
|
|
# https://docs.zizmor.sh/configuration/
|
|
#
|
|
# Findings ignored here are *deliberate* design choices, not "TODOs we never
|
|
# got to". Anything new or unexpected should land as a finding in the Security
|
|
# tab and be triaged before merge. Add an entry here only with a comment
|
|
# explaining why the finding is acceptable.
|
|
|
|
rules:
|
|
# `pull_request_target` and `workflow_run` are inherently dangerous, but we
|
|
# use them in workflows that have been written defensively: they either
|
|
# don't run untrusted code from the PR head, or they isolate untrusted state
|
|
# into clearly-marked steps. Each entry below has a one-line justification.
|
|
dangerous-triggers:
|
|
ignore:
|
|
# CLA assistant must comment on PRs from forks; runs a pinned third-party
|
|
# action and does not execute any code from the PR.
|
|
- cla.yml
|
|
# auto-format-apply uses workflow_run to commit the formatted patch
|
|
# computed by the untrusted `auto-format` workflow. The trusted job only
|
|
# consumes the inert patch artifact, verifies the PR head SHA matches the
|
|
# workflow_run head SHA, applies the diff, and pushes back via an app
|
|
# token. It never checks out or executes PR-controlled code.
|
|
- auto-format-apply.yml
|
|
# Lunaria only reads localized content and posts a status comment; does
|
|
# not execute PR-controlled code.
|
|
- lunaria.yml
|
|
# pr-compliance and pr-triage only inspect PR metadata (title, labels,
|
|
# author) via github-script. They never check out PR code.
|
|
- pr-compliance.yml
|
|
- pr-triage.yml
|
|
# review-state only reads PR and review metadata via github-script to set review/* labels; it never checks out or runs PR code.
|
|
- review-state.yml
|
|
# query-counts-apply uses workflow_run to apply snapshot updates that
|
|
# were computed in the untrusted `query-counts` workflow. The trusted
|
|
# workflow only consumes the artifact JSON, verifies the head SHA, and
|
|
# pushes back via an app token. See workflow comments for the full
|
|
# threat model.
|
|
- query-counts-apply.yml
|
|
# query-counts-label labels PRs based on path filters; it does not
|
|
# check out PR code.
|
|
- query-counts-label.yml
|
|
|
|
# The CLA assistant action (contributor-assistant/github-action) requires
|
|
# write access to actions, contents (cla-signatures branch), issues, PRs,
|
|
# and statuses. The workflow has only one job that uses these permissions,
|
|
# so workflow-level vs job-level scoping makes no real difference. A future
|
|
# PR may split the `label` job to a separate file with narrower permissions.
|
|
excessive-permissions:
|
|
ignore:
|
|
- cla.yml
|
|
|
|
# pkg.pr.new is a preview-release service, not npm registry publishing. It
|
|
# authenticates via its own GitHub OIDC flow (no long-lived token), so npm
|
|
# trusted publishing does not apply. The real npm publish (release.yml) uses
|
|
# OIDC provenance via the job's id-token: write.
|
|
use-trusted-publishing:
|
|
ignore:
|
|
- preview-releases.yml
|
|
|
|
# investigate.yml is the bot's reproduction runner. It installs the
|
|
# maintainer-owned bgproc / agent-browser CLIs globally at runtime so the
|
|
# agent doesn't self-install them mid-run. This is not a production build,
|
|
# and pinning these dev tools by version would add churn without a real
|
|
# supply-chain gain here.
|
|
adhoc-packages:
|
|
ignore:
|
|
- investigate.yml
|
|
|
|
# contributor-assistant/github-action is archived upstream but pinned by
|
|
# SHA, and has no maintained drop-in replacement. The CLA flow is critical;
|
|
# replacing the action is a separate, deliberate migration.
|
|
archived-uses:
|
|
ignore:
|
|
- cla.yml
|