Follow-up from #192. zizmor's archived-uses audit (High confidence) flags semgrep/semgrep-action as coming from an archived repository — it will not receive security updates.
It is currently allow-listed in .github/zizmor.yml (with a rationale comment) so the workflow-lint job stays green. Migrating changes an existing, green scan job, so it was kept separate from the hardening PR.
Follow-up from #192. zizmor's
archived-usesaudit (High confidence) flagssemgrep/semgrep-actionas coming from an archived repository — it will not receive security updates.It is currently allow-listed in
.github/zizmor.yml(with a rationale comment) so the workflow-lint job stays green. Migrating changes an existing, green scan job, so it was kept separate from the hardening PR.semgrep/semgrep-action@v1with the semgrep CLI (e.g. runsemgrep scan --config auto --errorviauvx semgrepor the pinned-by-digestsemgrep/semgrepcontainer), preservingconfig: autoand the gating behavior.archived-usesignore from.github/zizmor.yml.