ci: zizmor workflow#13901
Conversation
| # Upload the results to GitHub's code scanning dashboard. | ||
| - name: "Upload to code-scanning" | ||
| uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2 | ||
| uses: github/codeql-action/upload-sarif@b8d3b6e8af63cde30bdc382c0bc28114f4346c88 # v2.28.1 |
There was a problem hiding this comment.
Pull request overview
This PR introduces a dedicated zizmor GitHub Actions workflow for workflow security linting, and aligns existing workflows with tighter permission defaults and clearer action pin annotations. It also enables Dependabot updates for GitHub Actions.
Changes:
- Add
.github/workflows/zizmor.ymlto run zizmor and upload security findings (SARIF). - Harden/standardize workflow permissions (e.g., explicit
permissions: {}/contents: read) and adjust ordering. - Enable Dependabot updates for
github-actionsand refresh pinned-action version comments.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/zizmor.yml |
Adds zizmor reusable-workflow invocation and SARIF upload permissions. |
.github/workflows/stale.yml |
Cleans up header comments and updates pinned-action version annotation. |
.github/workflows/scorecards.yml |
Sets explicit empty top-level permissions and updates pinned-action version annotations. |
.github/workflows/pr-review.yml |
Reorders permissions/on blocks and adjusts zizmor trigger linting ignore. |
.github/workflows/pr-review-trigger.yml |
Reorders the on: block without changing behavior. |
.github/workflows/merge.yml |
Moves top-level permissions earlier for clarity/consistency. |
.github/workflows/docs-upstream.yml |
Removes redundant permission explanation comments; updates pinned-action version annotations. |
.github/workflows/ci.yml |
Moves top-level permissions earlier; updates pinned-action version annotations. |
.github/dependabot.yml |
Adds Dependabot updates for github-actions. |
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟡 NEEDS ATTENTION
This PR introduces the zizmor security scanning workflow and fixes zizmor findings across existing CI workflows. Most changes are safe reorganizations (moving permissions: blocks, adding version comments, updating dependabot config). However, two issues in .github/workflows/pr-review.yml appear to be functional regressions introduced by this PR.
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
docker-agent
left a comment
There was a problem hiding this comment.
Assessment: 🟢 APPROVE
This PR makes CI workflow hardening changes as flagged by zizmor:
- Permissions block placement: Moves top-level
permissions:blocks to appear beforeon:inci.yml,merge.yml, andpr-review.yml— this is the zizmor-preferred ordering and has no functional impact. - Version comment precision: Updates action version comments from short form (e.g.,
# v6) to full semver (e.g.,# v6.0.2) — all SHAs remain unchanged, so no actual action version changes. - scorecards.yml: Adds
permissions: {}at the workflow level; the job-level permissions (security-events: write,id-token: write) remain intact and are sufficient. - zizmor.yml (new): Delegates to
crazy-max/.githubreusable workflow pinned by SHA (46267a6e61cd56aac2fc79943df180152f4c89d6) withmin-severity: medium,min-confidence: medium, andpersona: pedantic. Permissions are correctly scoped (contents: read,security-events: write). - dependabot.yml: Adds
github-actionsecosystem with a 7-day cooldown — straightforward and correct. - Miscellaneous: Removes trailing whitespace/blank lines, removes verbose comment blocks that were redundant given the code.
No bugs or regressions introduced. All changes are mechanical improvements to workflow hygiene.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [docker/compose](https://github.com/docker/compose) | minor | `v5.1.4` → `v5.3.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>docker/compose (docker/compose)</summary> ### [`v5.3.1`](https://github.com/docker/compose/releases/tag/v5.3.1) [Compare Source](docker/compose@v5.3.0...v5.3.1) #### What's Changed ##### 🔧 Internal - Ci: add concurrency group to pr-review-trigger to prevent duplicate reviews by [@​derekmisler](https://github.com/derekmisler) in [#​13890](docker/compose#13890) - Fix grammar in Attestations field comment by [@​blackflytech](https://github.com/blackflytech) in [#​13891](docker/compose#13891) - Ci: remove unused desktop-edge-test workflow by [@​thaJeztah](https://github.com/thaJeztah) in [#​13897](docker/compose#13897) - Ci: zizmor workflow by [@​crazy-max](https://github.com/crazy-max) in [#​13901](docker/compose#13901) - Ci: fix docs-upstream workflow by [@​crazy-max](https://github.com/crazy-max) in [#​13912](docker/compose#13912) - CODEOWNERS: add compose-reviewers by [@​thaJeztah](https://github.com/thaJeztah) in [#​13913](docker/compose#13913) - Ci: harden GitHub Actions workflows by [@​glours](https://github.com/glours) in [#​13896](docker/compose#13896) - GHA: dependabot: group docker/\* actions updates by [@​thaJeztah](https://github.com/thaJeztah) in [#​13914](docker/compose#13914) ##### ⚙️ Dependencies - Build(deps): bump github.com/moby/buildkit from `0.31.0` to `0.31.1` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13892](docker/compose#13892) - Build(deps): bump github.com/moby/sys/user to `v0.4.1` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13893](docker/compose#13893) - Build(deps): bump go.yaml.in/yaml/v4 from `4.0.0-rc.4` to `4.0.0-rc.6` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13876](docker/compose#13876) - Build(deps): bump github.com/docker/cli from `29.6.0+incompatible` to `29.6.1+incompatible` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13895](docker/compose#13895) - Build(deps): bump actions/stale from `10.2.0` to `10.3.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13902](docker/compose#13902) - Build(deps): bump the docker-actions group with 3 updates by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13916](docker/compose#13916) - Build(deps): bump actions/upload-artifact from `7.0.0` to `7.0.1` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13908](docker/compose#13908) - Build(deps): bump actions/setup-go from `6.3.0` to `6.5.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13907](docker/compose#13907) - Build(deps): bump test-summary/action from `2.4` to `2.6` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13903](docker/compose#13903) - Build(deps): bump mxschmitt/action-tmate from `3.23` to `3.24` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13910](docker/compose#13910) - Build(deps): bump codecov/codecov-action from `5.5.3` to `7.0.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13904](docker/compose#13904) - Build(deps): bump github/codeql-action/upload-sarif from `3.36.3` to `4.36.2` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13917](docker/compose#13917) - Build(deps): bump actions/checkout from `6.0.2` to `7.0.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13911](docker/compose#13911) #### New Contributors - [@​blackflytech](https://github.com/blackflytech) made their first contribution in [#​13891](docker/compose#13891) **Full Changelog**: <docker/compose@v5.3.0...v5.3.1> ### [`v5.3.0`](https://github.com/docker/compose/releases/tag/v5.3.0) [Compare Source](docker/compose@v5.2.0...v5.3.0) #### What's Changed > ℹ️ This release introduces native support for init containers. ##### ✨ Improvements - Pre start init containers by [@​glours](https://github.com/glours) in [#​13862](docker/compose#13862) ##### 🐛 Fixes - Fix(oci): route authorizer token fetches through provided transport by [@​glours](https://github.com/glours) in [#​13873](docker/compose#13873) - Fix(run): scope Running events to project.Services by [@​glours](https://github.com/glours) in [#​13883](docker/compose#13883) ##### 🔧 Internal - Chore: migrate cagent-action to docker-agent-action (v2.0.0) by [@​docker-agent](https://github.com/docker-agent) in [#​13869](docker/compose#13869) - Chore: migrate to docker-agent-action v2.0.1 by [@​docker-agent](https://github.com/docker-agent) in [#​13872](docker/compose#13872) - Fix(reconcile): hash resolved service refs to match executor by [@​glours](https://github.com/glours) in [#​13880](docker/compose#13880) - Fix(compose/port): show private port in portNotFoundError message by [@​vmphase](https://github.com/vmphase) in [#​13875](docker/compose#13875) - Fix(run): normalize --no-TTY flag to --no-tty by [@​nickjj](https://github.com/nickjj) in [#​13885](docker/compose#13885) ##### ⚙️ Dependencies - Bump compose-go to version v2.13.0 by [@​glours](https://github.com/glours) in [#​13886](docker/compose#13886) #### New Contributors - [@​docker-agent](https://github.com/docker-agent) made their first contribution in [#​13869](docker/compose#13869) - [@​vmphase](https://github.com/vmphase) made their first contribution in [#​13875](docker/compose#13875) - [@​nickjj](https://github.com/nickjj) made their first contribution in [#​13885](docker/compose#13885) **Full Changelog**: <docker/compose@v5.2.0...v5.3.0> ### [`v5.2.0`](https://github.com/docker/compose/releases/tag/v5.2.0) [Compare Source](docker/compose@v5.1.4...v5.2.0) #### What's Changed > ℹ️ This version introduces a new reconciliation algorithm between the observed state and the expected state. > > If you experience any issues with a Compose workload that was previously working, please open an issue. ##### ✨ Improvements - Reconciliation plan by [@​ndeloof](https://github.com/ndeloof) & [@​glours](https://github.com/glours) in [#​13830](docker/compose#13830) - Add `rawsetenv` message type for provider plugins by [@​rajyan](https://github.com/rajyan) in [#​13742](docker/compose#13742) ##### 🐛 Fixes - Fix(build): skip remote URL contexts from bake fs.read allowlist by [@​ndeloof](https://github.com/ndeloof) in [#​13816](docker/compose#13816) - Skip validation when extracting config variables by [@​scarab-systems](https://github.com/scarab-systems) in [#​13831](docker/compose#13831) - Fix(progress): probe stderr (not stdout) for TTY auto-detection by [@​glours](https://github.com/glours) in [#​13837](docker/compose#13837) - Fix(publish): honor env\_file required: false for missing files by [@​Ijtihed](https://github.com/Ijtihed) in [#​13848](docker/compose#13848) ##### 🔧 Internal - Docs: compose logs: add links for since/until flag descriptions by [@​thaJeztah](https://github.com/thaJeztah) in [#​13806](docker/compose#13806) - Ci: add Dependabot cooldown ([`2026060`](docker/compose@20260603)-170456) by [@​securityeng-bot](https://github.com/securityeng-bot)\[bot] in [#​13820](docker/compose#13820) - Docs(CLAUDE.md): note that commits must be signed off (DCO) by [@​ndeloof](https://github.com/ndeloof) in [#​13817](docker/compose#13817) - Refactor: replace Split in loops with more efficient SplitSeq and replace HasPrefix+TrimPrefix with CutPrefix by [@​caltechustc](https://github.com/caltechustc) in [#​13810](docker/compose#13810) - Chore: fix some comments to improve readability by [@​solunolab](https://github.com/solunolab) in [#​13823](docker/compose#13823) - GHA: update docs-upstream to pin workflows by sha by [@​thaJeztah](https://github.com/thaJeztah) in [#​13834](docker/compose#13834) - Docs: compose logs: add more links for flag descriptions by [@​thaJeztah](https://github.com/thaJeztah) in [#​13833](docker/compose#13833) - Fix/progress tty line overflow 13595 by [@​glours](https://github.com/glours) in [#​13840](docker/compose#13840) - Fix(publish): bypass Docker Desktop proxy for loopback registries by [@​ptrdom](https://github.com/ptrdom) in [#​13825](docker/compose#13825) - Watch: do not rebuild depends\_on services on file change by [@​ndeloof](https://github.com/ndeloof) in [#​13856](docker/compose#13856) - pkg/e2e: fix malformed JWT in fixtures by [@​thaJeztah](https://github.com/thaJeztah) in [#​13857](docker/compose#13857) - pkg/e2e: drop unused run param from getEnv by [@​glours](https://github.com/glours) in [#​13867](docker/compose#13867) - Docs: `ps --format json` outputs JSON Lines, not a JSON array by [@​glours](https://github.com/glours) in [#​13868](docker/compose#13868) ##### ⚙️ Dependencies - Build(deps): bump github.com/docker/cli from `29.5.1+incompatible` to `29.5.2+incompatible` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13802](docker/compose#13802) - Update to go `1.26.4` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13828](docker/compose#13828) - Chore(deps): github.com/containerd/typeurl/v2 `v2.3.0` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13829](docker/compose#13829) - Build(deps): bump golang.org/x/sync from `0.20.0` to `0.21.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13838](docker/compose#13838) - Chore(deps): github.com/docker/cli `v29.5.3`, github.com/docker/buildx `v0.34.1`, buildkit `v0.30.0` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13841](docker/compose#13841) - Build(deps): bump golang.org/x/sys from `0.45.0` to `0.46.0` by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13832](docker/compose#13832) - Chore(deps): golang.org/x/crypto `v0.53.0` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13844](docker/compose#13844) - Build(deps): bump github.com/containerd/containerd/v2 from `2.2.3` to `2.2.4` in the go\_modules group across 1 directory by [@​dependabot](https://github.com/dependabot)\[bot] in [#​13804](docker/compose#13804) - Chore(deps): bump github.com/containerd/containerd/v2 to `v2.2.5` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13855](docker/compose#13855) - Chore(deps): bump github.com/golang-jwt/jwt/v5 to `v5.3.1` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13847](docker/compose#13847) - Chore(deps): github.com/docker/cli `v29.6.0`, github.com/docker/buildx `v0.35.0`, buildkit `v0.31.0` by [@​thaJeztah](https://github.com/thaJeztah) in [#​13842](docker/compose#13842) - Bump compose-go to version `v2.12.1` by [@​glours](https://github.com/glours) in [#​13865](docker/compose#13865) #### New Contributors - [@​securityeng-bot](https://github.com/securityeng-bot)\[bot] made their first contribution in [#​13820](docker/compose#13820) - [@​caltechustc](https://github.com/caltechustc) made their first contribution in [#​13810](docker/compose#13810) - [@​solunolab](https://github.com/solunolab) made their first contribution in [#​13823](docker/compose#13823) - [@​scarab-systems](https://github.com/scarab-systems) made their first contribution in [#​13831](docker/compose#13831) - [@​ptrdom](https://github.com/ptrdom) made their first contribution in [#​13825](docker/compose#13825) - [@​rajyan](https://github.com/rajyan) made their first contribution in [#​13742](docker/compose#13742) - [@​Ijtihed](https://github.com/Ijtihed) made their first contribution in [#​13848](docker/compose#13848) **Full Changelog**: <docker/compose@v5.1.4...v5.2.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNTYuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI1Ni4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6bWlub3IiXX0=-->
similar to moby/buildkit#6623