Skip to content

ci: zizmor workflow#13901

Merged
glours merged 3 commits into
docker:mainfrom
crazy-max:zizmor
Jul 6, 2026
Merged

ci: zizmor workflow#13901
glours merged 3 commits into
docker:mainfrom
crazy-max:zizmor

Conversation

@crazy-max

Copy link
Copy Markdown
Member

similar to moby/buildkit#6623

@crazy-max crazy-max requested review from Copilot and glours July 6, 2026 14:51
@crazy-max crazy-max requested a review from a team as a code owner July 6, 2026 14:51
@crazy-max crazy-max requested a review from ndeloof July 6, 2026 14:51
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2
uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will be fixed in #13896

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR introduces a dedicated zizmor GitHub Actions workflow for workflow security linting, and aligns existing workflows with tighter permission defaults and clearer action pin annotations. It also enables Dependabot updates for GitHub Actions.

Changes:

  • Add .github/workflows/zizmor.yml to run zizmor and upload security findings (SARIF).
  • Harden/standardize workflow permissions (e.g., explicit permissions: {} / contents: read) and adjust ordering.
  • Enable Dependabot updates for github-actions and refresh pinned-action version comments.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
.github/workflows/zizmor.yml Adds zizmor reusable-workflow invocation and SARIF upload permissions.
.github/workflows/stale.yml Cleans up header comments and updates pinned-action version annotation.
.github/workflows/scorecards.yml Sets explicit empty top-level permissions and updates pinned-action version annotations.
.github/workflows/pr-review.yml Reorders permissions/on blocks and adjusts zizmor trigger linting ignore.
.github/workflows/pr-review-trigger.yml Reorders the on: block without changing behavior.
.github/workflows/merge.yml Moves top-level permissions earlier for clarity/consistency.
.github/workflows/docs-upstream.yml Removes redundant permission explanation comments; updates pinned-action version annotations.
.github/workflows/ci.yml Moves top-level permissions earlier; updates pinned-action version annotations.
.github/dependabot.yml Adds Dependabot updates for github-actions.

Comment thread .github/workflows/pr-review.yml
Comment thread .github/workflows/zizmor.yml Outdated
Comment thread .github/workflows/pr-review.yml

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟡 NEEDS ATTENTION

This PR introduces the zizmor security scanning workflow and fixes zizmor findings across existing CI workflows. Most changes are safe reorganizations (moving permissions: blocks, adding version comments, updating dependabot config). However, two issues in .github/workflows/pr-review.yml appear to be functional regressions introduced by this PR.

Comment thread .github/workflows/pr-review.yml
Comment thread .github/workflows/pr-review.yml
crazy-max added 2 commits July 6, 2026 16:57
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>

@docker-agent docker-agent left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assessment: 🟢 APPROVE

This PR makes CI workflow hardening changes as flagged by zizmor:

  • Permissions block placement: Moves top-level permissions: blocks to appear before on: in ci.yml, merge.yml, and pr-review.yml — this is the zizmor-preferred ordering and has no functional impact.
  • Version comment precision: Updates action version comments from short form (e.g., # v6) to full semver (e.g., # v6.0.2) — all SHAs remain unchanged, so no actual action version changes.
  • scorecards.yml: Adds permissions: {} at the workflow level; the job-level permissions (security-events: write, id-token: write) remain intact and are sufficient.
  • zizmor.yml (new): Delegates to crazy-max/.github reusable workflow pinned by SHA (46267a6e61cd56aac2fc79943df180152f4c89d6) with min-severity: medium, min-confidence: medium, and persona: pedantic. Permissions are correctly scoped (contents: read, security-events: write).
  • dependabot.yml: Adds github-actions ecosystem with a 7-day cooldown — straightforward and correct.
  • Miscellaneous: Removes trailing whitespace/blank lines, removes verbose comment blocks that were redundant given the code.

No bugs or regressions introduced. All changes are mechanical improvements to workflow hygiene.

@glours glours left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks @crazy-max

@glours glours enabled auto-merge (rebase) July 6, 2026 15:06
@glours glours merged commit be7b72e into docker:main Jul 6, 2026
44 of 45 checks passed
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@crazy-max crazy-max deleted the zizmor branch July 6, 2026 15:15
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Jul 9, 2026
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker/compose](https://github.com/docker/compose) | minor | `v5.1.4` → `v5.3.1` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>docker/compose (docker/compose)</summary>

### [`v5.3.1`](https://github.com/docker/compose/releases/tag/v5.3.1)

[Compare Source](docker/compose@v5.3.0...v5.3.1)

#### What's Changed

##### 🔧  Internal

- Ci: add concurrency group to pr-review-trigger to prevent duplicate reviews by [@&#8203;derekmisler](https://github.com/derekmisler) in [#&#8203;13890](docker/compose#13890)
- Fix grammar in Attestations field comment by [@&#8203;blackflytech](https://github.com/blackflytech) in [#&#8203;13891](docker/compose#13891)
- Ci: remove unused desktop-edge-test workflow by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13897](docker/compose#13897)
- Ci: zizmor workflow by [@&#8203;crazy-max](https://github.com/crazy-max) in [#&#8203;13901](docker/compose#13901)
- Ci: fix docs-upstream workflow by [@&#8203;crazy-max](https://github.com/crazy-max) in [#&#8203;13912](docker/compose#13912)
- CODEOWNERS: add compose-reviewers by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13913](docker/compose#13913)
- Ci: harden GitHub Actions workflows by [@&#8203;glours](https://github.com/glours) in [#&#8203;13896](docker/compose#13896)
- GHA: dependabot: group docker/\* actions updates by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13914](docker/compose#13914)

##### ⚙️ Dependencies

- Build(deps): bump github.com/moby/buildkit from `0.31.0` to `0.31.1` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13892](docker/compose#13892)
- Build(deps): bump github.com/moby/sys/user to `v0.4.1` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13893](docker/compose#13893)
- Build(deps): bump go.yaml.in/yaml/v4 from `4.0.0-rc.4` to `4.0.0-rc.6` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13876](docker/compose#13876)
- Build(deps): bump github.com/docker/cli from `29.6.0+incompatible` to `29.6.1+incompatible` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13895](docker/compose#13895)
- Build(deps): bump actions/stale from `10.2.0` to `10.3.0` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13902](docker/compose#13902)
- Build(deps): bump the docker-actions group with 3 updates by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13916](docker/compose#13916)
- Build(deps): bump actions/upload-artifact from `7.0.0` to `7.0.1` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13908](docker/compose#13908)
- Build(deps): bump actions/setup-go from `6.3.0` to `6.5.0` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13907](docker/compose#13907)
- Build(deps): bump test-summary/action from `2.4` to `2.6` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13903](docker/compose#13903)
- Build(deps): bump mxschmitt/action-tmate from `3.23` to `3.24` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13910](docker/compose#13910)
- Build(deps): bump codecov/codecov-action from `5.5.3` to `7.0.0` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13904](docker/compose#13904)
- Build(deps): bump github/codeql-action/upload-sarif from `3.36.3` to `4.36.2` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13917](docker/compose#13917)
- Build(deps): bump actions/checkout from `6.0.2` to `7.0.0` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13911](docker/compose#13911)

#### New Contributors

- [@&#8203;blackflytech](https://github.com/blackflytech) made their first contribution in [#&#8203;13891](docker/compose#13891)

**Full Changelog**: <docker/compose@v5.3.0...v5.3.1>

### [`v5.3.0`](https://github.com/docker/compose/releases/tag/v5.3.0)

[Compare Source](docker/compose@v5.2.0...v5.3.0)

#### What's Changed

> ℹ️ This release introduces native support for init containers.

##### ✨ Improvements

- Pre start init containers by [@&#8203;glours](https://github.com/glours) in [#&#8203;13862](docker/compose#13862)

##### 🐛 Fixes

- Fix(oci): route authorizer token fetches through provided transport by [@&#8203;glours](https://github.com/glours) in [#&#8203;13873](docker/compose#13873)
- Fix(run): scope Running events to project.Services by [@&#8203;glours](https://github.com/glours) in [#&#8203;13883](docker/compose#13883)

##### 🔧  Internal

- Chore: migrate cagent-action to docker-agent-action (v2.0.0) by [@&#8203;docker-agent](https://github.com/docker-agent) in [#&#8203;13869](docker/compose#13869)
- Chore: migrate to docker-agent-action v2.0.1 by [@&#8203;docker-agent](https://github.com/docker-agent) in [#&#8203;13872](docker/compose#13872)
- Fix(reconcile): hash resolved service refs to match executor by [@&#8203;glours](https://github.com/glours) in [#&#8203;13880](docker/compose#13880)
- Fix(compose/port): show private port in portNotFoundError message by [@&#8203;vmphase](https://github.com/vmphase) in [#&#8203;13875](docker/compose#13875)
- Fix(run): normalize --no-TTY flag to --no-tty by [@&#8203;nickjj](https://github.com/nickjj) in [#&#8203;13885](docker/compose#13885)

##### ⚙️ Dependencies

- Bump compose-go to version v2.13.0 by [@&#8203;glours](https://github.com/glours) in [#&#8203;13886](docker/compose#13886)

#### New Contributors

- [@&#8203;docker-agent](https://github.com/docker-agent) made their first contribution in [#&#8203;13869](docker/compose#13869)
- [@&#8203;vmphase](https://github.com/vmphase) made their first contribution in [#&#8203;13875](docker/compose#13875)
- [@&#8203;nickjj](https://github.com/nickjj) made their first contribution in [#&#8203;13885](docker/compose#13885)

**Full Changelog**: <docker/compose@v5.2.0...v5.3.0>

### [`v5.2.0`](https://github.com/docker/compose/releases/tag/v5.2.0)

[Compare Source](docker/compose@v5.1.4...v5.2.0)

#### What's Changed

> ℹ️ This version introduces a new reconciliation algorithm between the observed state and the expected state.
>
> If you experience any issues with a Compose workload that was previously working, please open an issue.

##### ✨ Improvements

- Reconciliation plan by [@&#8203;ndeloof](https://github.com/ndeloof) & [@&#8203;glours](https://github.com/glours) in [#&#8203;13830](docker/compose#13830)
- Add `rawsetenv` message type for provider plugins by [@&#8203;rajyan](https://github.com/rajyan) in [#&#8203;13742](docker/compose#13742)

##### 🐛 Fixes

- Fix(build): skip remote URL contexts from bake fs.read allowlist by [@&#8203;ndeloof](https://github.com/ndeloof) in [#&#8203;13816](docker/compose#13816)
- Skip validation when extracting config variables by [@&#8203;scarab-systems](https://github.com/scarab-systems) in [#&#8203;13831](docker/compose#13831)
- Fix(progress): probe stderr (not stdout) for TTY auto-detection by [@&#8203;glours](https://github.com/glours) in [#&#8203;13837](docker/compose#13837)
- Fix(publish): honor env\_file required: false for missing files by [@&#8203;Ijtihed](https://github.com/Ijtihed) in [#&#8203;13848](docker/compose#13848)

##### 🔧  Internal

- Docs: compose logs: add links for since/until flag descriptions by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13806](docker/compose#13806)
- Ci: add Dependabot cooldown ([`2026060`](docker/compose@20260603)-170456) by [@&#8203;securityeng-bot](https://github.com/securityeng-bot)\[bot] in [#&#8203;13820](docker/compose#13820)
- Docs(CLAUDE.md): note that commits must be signed off (DCO) by [@&#8203;ndeloof](https://github.com/ndeloof) in [#&#8203;13817](docker/compose#13817)
- Refactor: replace Split in loops with more efficient SplitSeq and replace HasPrefix+TrimPrefix with CutPrefix by [@&#8203;caltechustc](https://github.com/caltechustc) in [#&#8203;13810](docker/compose#13810)
- Chore: fix some comments to improve readability by [@&#8203;solunolab](https://github.com/solunolab) in [#&#8203;13823](docker/compose#13823)
- GHA: update docs-upstream to pin workflows by sha by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13834](docker/compose#13834)
- Docs: compose logs: add more links for flag descriptions by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13833](docker/compose#13833)
- Fix/progress tty line overflow 13595 by [@&#8203;glours](https://github.com/glours) in [#&#8203;13840](docker/compose#13840)
- Fix(publish): bypass Docker Desktop proxy for loopback registries by [@&#8203;ptrdom](https://github.com/ptrdom) in [#&#8203;13825](docker/compose#13825)
- Watch: do not rebuild depends\_on services on file change by [@&#8203;ndeloof](https://github.com/ndeloof) in [#&#8203;13856](docker/compose#13856)
- pkg/e2e: fix malformed JWT in fixtures by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13857](docker/compose#13857)
- pkg/e2e: drop unused run param from getEnv by [@&#8203;glours](https://github.com/glours) in [#&#8203;13867](docker/compose#13867)
- Docs: `ps --format json` outputs JSON Lines, not a JSON array by [@&#8203;glours](https://github.com/glours) in [#&#8203;13868](docker/compose#13868)

##### ⚙️ Dependencies

- Build(deps): bump github.com/docker/cli from `29.5.1+incompatible` to `29.5.2+incompatible` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13802](docker/compose#13802)
- Update to go `1.26.4` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13828](docker/compose#13828)
- Chore(deps): github.com/containerd/typeurl/v2 `v2.3.0` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13829](docker/compose#13829)
- Build(deps): bump golang.org/x/sync from `0.20.0` to `0.21.0` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13838](docker/compose#13838)
- Chore(deps): github.com/docker/cli `v29.5.3`, github.com/docker/buildx `v0.34.1`, buildkit `v0.30.0` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13841](docker/compose#13841)
- Build(deps): bump golang.org/x/sys from `0.45.0` to `0.46.0` by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13832](docker/compose#13832)
- Chore(deps): golang.org/x/crypto `v0.53.0` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13844](docker/compose#13844)
- Build(deps): bump github.com/containerd/containerd/v2 from `2.2.3` to `2.2.4` in the go\_modules group across 1 directory by [@&#8203;dependabot](https://github.com/dependabot)\[bot] in [#&#8203;13804](docker/compose#13804)
- Chore(deps): bump github.com/containerd/containerd/v2 to `v2.2.5` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13855](docker/compose#13855)
- Chore(deps): bump github.com/golang-jwt/jwt/v5 to `v5.3.1` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13847](docker/compose#13847)
- Chore(deps): github.com/docker/cli `v29.6.0`, github.com/docker/buildx `v0.35.0`, buildkit `v0.31.0` by [@&#8203;thaJeztah](https://github.com/thaJeztah) in [#&#8203;13842](docker/compose#13842)
- Bump compose-go to version `v2.12.1` by [@&#8203;glours](https://github.com/glours) in [#&#8203;13865](docker/compose#13865)

#### New Contributors

- [@&#8203;securityeng-bot](https://github.com/securityeng-bot)\[bot] made their first contribution in [#&#8203;13820](docker/compose#13820)
- [@&#8203;caltechustc](https://github.com/caltechustc) made their first contribution in [#&#8203;13810](docker/compose#13810)
- [@&#8203;solunolab](https://github.com/solunolab) made their first contribution in [#&#8203;13823](docker/compose#13823)
- [@&#8203;scarab-systems](https://github.com/scarab-systems) made their first contribution in [#&#8203;13831](docker/compose#13831)
- [@&#8203;ptrdom](https://github.com/ptrdom) made their first contribution in [#&#8203;13825](docker/compose#13825)
- [@&#8203;rajyan](https://github.com/rajyan) made their first contribution in [#&#8203;13742](docker/compose#13742)
- [@&#8203;Ijtihed](https://github.com/Ijtihed) made their first contribution in [#&#8203;13848](docker/compose#13848)

**Full Changelog**: <docker/compose@v5.1.4...v5.2.0>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNTYuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI1Ni4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6bWlub3IiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants