Skip to content

feat: integrate zizmor#1849

Open
trueberryless wants to merge 2 commits into
webpro-nl:mainfrom
trueberryless:feat/zizmor
Open

feat: integrate zizmor#1849
trueberryless wants to merge 2 commits into
webpro-nl:mainfrom
trueberryless:feat/zizmor

Conversation

@trueberryless

Copy link
Copy Markdown
Contributor

Description

This PR adds zizmor to the project. Zizmor is a static GitHub Actions analyser that aims to make actions more secure with best practices and security advisories.

To integrate Zizmor, I ran the CLI locally to analyse the current GitHub Actions and applied some fixes. I also decided to add newlines between each step for more readable workflow files. Zizmor passes locally completely:

image

I also added a new zizmor action which makes sure that workflow edits never regress and the security recommendations are maintained in the future. This workflow should also pass in this PR already 🤞

Additionally, I decided to move the markdown-lint-check.json out of the .github/workflows folder in the parent dir: .github because I think that inside the .github/workflows folder there should mainly only be actual GitHub Action files. But I didn't move the scripts and snapshots because they are not as distracting as the one .json file was in the middle of the .yml files.

@pkg-pr-new

pkg-pr-new Bot commented Jul 1, 2026

Copy link
Copy Markdown

Open in StackBlitz

npm i https://pkg.pr.new/knip@1849
npm i https://pkg.pr.new/@knip/language-server@1849
npm i https://pkg.pr.new/@knip/mcp@1849

commit: 01db14b

@webpro

webpro commented Jul 2, 2026

Copy link
Copy Markdown
Member

Thanks for the PR. Overall I feel like it's a bit much for this particular repo. We're not using pull_request_target and have zero secrets, so I wonder what's the real benefit here? No publish/release flow (at least not yet).

Not sure we want cancel-in-progress: true either: we should see if something fails in e.g Windows and Ubuntu (or only one of those), and the ecosystem repos (integration.yml) each have their own results we should see all failures for.

The no-cache: true is a bit overkill as it's scoped by branch?

The thing that we should definitely push though is the moved/scoped issues: write permission in integration.yml.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants