Follow-up from #361.
zizmor.yml currently ignores auditor-persona findings for workflows synced from conda/infrastructure because those workflow files should not be changed directly in this repository.
conda/infrastructure#1328 already added baseline zizmor coverage upstream, but it does not enable the auditor persona. Running zizmor 1.25.2 --persona=auditor .github/workflows against current conda/infrastructure origin/main still reports findings for the synced workflows, so the remaining upstream task is specifically the auditor-persona cleanup/suppression work.
Synced workflows currently covered by local suppressions here:
.github/workflows/cla.yml.github/workflows/issues.yml.github/workflows/labels.yml.github/workflows/lock.yml.github/workflows/project.yml.github/workflows/stale.yml.github/workflows/update.yml
The ignored findings include permissions, undocumented permissions, concurrency/job naming, secrets-outside-env, superfluous-actions, artipacked, and template-injection findings depending on the workflow.
Tasks:
- Update
conda/infrastructure to run zizmor with the auditor persona, matching this repository's pre-commit configuration.
- Apply the appropriate fixes upstream in
conda/infrastructure, or add upstream-owned zizmor ignore entries where a finding is intentionally accepted.
- Sync the updated workflows back into this repository.
- Remove the corresponding ignore entries from
zizmor.yml in this repository once the synced workflows no longer need local suppressions.
Follow-up from #361.
zizmor.ymlcurrently ignores auditor-persona findings for workflows synced fromconda/infrastructurebecause those workflow files should not be changed directly in this repository.conda/infrastructure#1328already added baselinezizmorcoverage upstream, but it does not enable the auditor persona. Runningzizmor 1.25.2 --persona=auditor .github/workflowsagainst currentconda/infrastructureorigin/mainstill reports findings for the synced workflows, so the remaining upstream task is specifically the auditor-persona cleanup/suppression work.Synced workflows currently covered by local suppressions here:
.github/workflows/cla.yml.github/workflows/issues.yml.github/workflows/labels.yml.github/workflows/lock.yml.github/workflows/project.yml.github/workflows/stale.yml.github/workflows/update.ymlThe ignored findings include permissions, undocumented permissions, concurrency/job naming,
secrets-outside-env,superfluous-actions,artipacked, and template-injection findings depending on the workflow.Tasks:
conda/infrastructureto runzizmorwith the auditor persona, matching this repository's pre-commit configuration.conda/infrastructure, or add upstream-ownedzizmorignore entries where a finding is intentionally accepted.zizmor.ymlin this repository once the synced workflows no longer need local suppressions.