UID2-7011: add zizmor workflow-security scan (report-only)#149
Open
swibi-ttd wants to merge 1 commit into
Open
UID2-7011: add zizmor workflow-security scan (report-only)#149swibi-ttd wants to merge 1 commit into
swibi-ttd wants to merge 1 commit into
Conversation
33e8c2c to
7b0210d
Compare
Bare caller of the shared scan: severity floors inherit central defaults (report-only, High) and are overridable per-repo via ZIZMOR_* Actions variables. Part of the UID2-7011 org-wide rollout. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
7b0210d to
b6d9f92
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds the zizmor GitHub Actions security scan (UID2-7011) as a report-only check: it blocks nothing and shows findings (High severity and above) in the job summary when workflow files change.
The caller is deliberately bare — severity floors inherit the shared workflow's central defaults, so org-wide retunes are a single change in uid2-shared-actions rather than per-repo PRs. See the zizmor section of the uid2-shared-actions README.
Part of the org-wide rollout tracked in UID2-7011; gating comes later, after existing High findings are fixed.
🤖 Generated with Claude Code