build(deps): bump zizmorcore/zizmor-action from 0.5.5 to 0.5.6 in /.github/workflows#885
Open
dependabot[bot] wants to merge 1 commit into
Conversation
dependabot
Bot
added
dependencies
dependabot
Bot
requested review from
dfoulks1,
potiuk and
ppkarwasz
as code owners
dependabot
Bot
added
dependencies
Member
|
@dependabot rebase |
Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.5.5 to 0.5.6. - [Release notes](https://github.com/zizmorcore/zizmor-action/releases) - [Commits](zizmorcore/zizmor-action@a16621b...5f14fd0) --- updated-dependencies: - dependency-name: zizmorcore/zizmor-action dependency-version: 0.5.6 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/dot-github/workflows/zizmorcore/zizmor-action-0.5.6
branch
from
2ee349a to
085c1eb
Compare
4 tasks
potiuk
added a commit
that referenced
this pull request
May 28, 2026
#886 tried to silence zizmor 1.25.2's new `unpinned-tools` audit on `1Password/load-secrets-action` with an inline `# zizmor: ignore[]` comment, but placed it on the `if: false` line. zizmor only honours the ignore on the line where the finding lives — line 40 (the `- uses:` line) — so the suppression never took effect, and #885 (zizmor 0.5.5 → 0.5.6 bump) has been stuck failing CI ever since. Inline placement on the `- uses:` line would also be fragile: it sits next to dependabot's `# v4.0.0` version comment, and dependabot rewrites that comment on every bump. The zizmor docs (configuration guide) also state that "composite action findings cannot be ignored via `zizmor.yml`", so the config-file path is closed. The audit's actual remediation (per its source at crates/zizmor/src/audit/unpinned_tools.rs) is to set a static `with.version` value. The audit fires only when the input is missing or literal `latest`. Setting it to any specific string silences the finding. Since these composite entries are `if: false` (allowlist registration only — they never execute), the version value is cosmetic; only the static analyser cares. This change: - Adds `_unpinned_tool_version_pin()` + `_UNPINNED_TOOLS_VERSION_PINS` in `gateway/gateway.py` so the composite generator emits a `with.version` block for any action zizmor's `unpinned-tools` audit knows about (currently `1password/load-secrets-action` and `aquasecurity/setup-trivy`; the latter is preemptive — we don't carry it on the allowlist today). - Applies the same `with.version` block manually to the existing `1Password/load-secrets-action` entries in the composite. The next full regeneration (post #892's pipeline recovery) will produce identical content; the manual edit only fast-paths the fix so #885 can land immediately. - Drops the no-op `# zizmor: ignore[unpinned-tools]` tail comment #886 added on the `if: false` line — the version pin is now the real suppression mechanism. Local verification: `zizmor --min-severity medium --min-confidence medium .github/ allowlist-check/ pelican/ stash/` now reports "No findings to report. Good job!" (down from 1 medium). Gateway tests still pass (8 passed). Generated-by: Claude Opus 4.7
potiuk
added a commit
that referenced
this pull request
May 28, 2026
`1Password/load-secrets-action` with an inline `# zizmor: ignore[]` comment, but placed it on the `if: false` line. zizmor only honours the ignore on the line where the finding lives — line 40 (the `- uses:` line) — so the suppression never took effect, and #885 (zizmor 0.5.5 → 0.5.6 bump) has been stuck failing CI ever since. Inline placement on the `- uses:` line would also be fragile: it sits next to dependabot's `# v4.0.0` version comment, and dependabot rewrites that comment on every bump. The zizmor docs (configuration guide) also state that "composite action findings cannot be ignored via `zizmor.yml`", so the config-file path is closed. The audit's actual remediation (per its source at crates/zizmor/src/audit/unpinned_tools.rs) is to set a static `with.version` value. The audit fires only when the input is missing or literal `latest`. Setting it to any specific string silences the finding. Since these composite entries are `if: false` (allowlist registration only — they never execute), the version value is cosmetic; only the static analyser cares. This change: - Adds `_unpinned_tool_version_pin()` + `_UNPINNED_TOOLS_VERSION_PINS` in `gateway/gateway.py` so the composite generator emits a `with.version` block for any action zizmor's `unpinned-tools` audit knows about (currently `1password/load-secrets-action` and `aquasecurity/setup-trivy`; the latter is preemptive — we don't carry it on the allowlist today). - Applies the same `with.version` block manually to the existing `1Password/load-secrets-action` entries in the composite. The next full regeneration (post #892's pipeline recovery) will produce identical content; the manual edit only fast-paths the fix so #885 can land immediately. - Drops the no-op `# zizmor: ignore[unpinned-tools]` tail comment #886 added on the `if: false` line — the version pin is now the real suppression mechanism. Local verification: `zizmor --min-severity medium --min-confidence medium .github/ allowlist-check/ pelican/ stash/` now reports "No findings to report. Good job!" (down from 1 medium). Gateway tests still pass (8 passed). Generated-by: Claude Opus 4.7
snazy
pushed a commit
to snazy/infrastructure-actions
that referenced
this pull request
Jun 2, 2026
…ecrets-action zizmor v1.25.2 (shipped by zizmor-action v0.5.6) added the unpinned-tools audit, which flags `1Password/load-secrets-action` at line 40 of `.github/actions/for-dependabot-triggered-reviews/action.yml` because that action installs the 1Password CLI from an unpinned URL when it runs. In this file the step is `if: false` — it never executes; the entry exists only so dependabot tracks the SHA for inclusion in the approved allowlist. zizmor's `unpinned-tools` audit doesn't currently understand `if: false` and produces a false positive. Suppress with an inline `# zizmor: ignore[unpinned-tools]` comment plus an explanatory tail, matching the pattern already used for `secrets-outside-env` and `dependabot-cooldown` ignores in this repo. This unblocks apache#885 (zizmor-action v0.5.5 → v0.5.6). Generated-by: Claude Code (Claude Opus 4.7)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps zizmorcore/zizmor-action from 0.5.5 to 0.5.6.
Release notes
Sourced from zizmorcore/zizmor-action's releases.
Commits
5f14fd0Sync zizmor versions (#114)