Skip to content

Add zizmor CI#7463

Open
ShaharNaveh wants to merge 4 commits intoRustPython:mainfrom
ShaharNaveh:zizmor
Open

Add zizmor CI#7463
ShaharNaveh wants to merge 4 commits intoRustPython:mainfrom
ShaharNaveh:zizmor

Conversation

@ShaharNaveh
Copy link
Contributor

@ShaharNaveh ShaharNaveh commented Mar 18, 2026
edited by coderabbitai bot
Loading

Summary by CodeRabbit

  • Chores
    • Added automated security linting to the CI pipeline: a new job runs on the main branch, performs repository checks with an integrated security scanner, and reports findings to the project's security event logs to strengthen automated security checks and surface issues earlier in the development cycle.

@ShaharNaveh ShaharNaveh added the skip:ci Skip running the ci label Mar 18, 2026
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 18, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 901bf90e-103e-4c9f-9073-7681f9b88831

📥 Commits

Reviewing files that changed from the base of the PR and between 403175d and e3a74cb.

📒 Files selected for processing (1)
  • .github/workflows/ci.yaml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/ci.yaml
📝 Walkthrough

Walkthrough

A new CI job security-lint was added to .github/workflows/ci.yaml under the wasm-wasi workflow. It runs on ubuntu-latest for main, checks out the repo (no credentials persisted), requests security-events: write, and runs zizmor-action for security linting.

Changes

Cohort / File(s) Summary
CI Security Lint Job
\.github/workflows/ci.yaml		 Added security-lint job under the wasm-wasi workflow: runs on ubuntu-latest for main, if: ${{ github.ref == 'refs/heads/main' }}, sets permissions: security-events: write, checks out repo with persist-credentials: false, and runs zizmorcore/zizmor-action.

Sequence Diagram(s)

sequenceDiagram
    participant GH as GitHub Actions
    participant Runner as ubuntu-latest Runner
    participant Repo as Repository (checkout)
    participant Zizmor as zizmorcore/zizmor-action

    GH->>Runner: trigger security-lint job (on main)
    Runner->>Repo: actions/checkout (persist-credentials: false)
    Runner->>Zizmor: invoke zizmorcore/zizmor-action
    Zizmor-->>GH: report security findings (uses security-events write)
Loading

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Suggested reviewers

  • youknowone

Poem

🐰 A rabbit hopped into the main,
Sniffed the branches, checked each train,
Zizmor hummed, the logs went bright,
Security hummed through day and night,
Hops of safety, light and plain.

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'Add zizmor CI' accurately and concisely describes the main change: adding a new zizmor security linting job to the CI workflow.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 563-565: The "Run zizmor" workflow step uses
zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 but doesn't
check out the repo first, causing the action to fail with "no inputs"; add a
preceding checkout step (e.g., add a step named "Checkout repository" that uses
actions/checkout@v4) placed immediately before the "Run zizmor" step so the
workspace contains the workflow files the action expects.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 745a3f6d-3779-4e95-b8a1-50a81b6af8b2

📥 Commits

Reviewing files that changed from the base of the PR and between 9a5de28 and ee43719.

📒 Files selected for processing (1)
  • .github/workflows/ci.yaml

ShaharNaveh and others added 2 commits March 18, 2026 16:06
@ShaharNaveh @coderabbitai
Update .github/workflows/ci.yaml
dd0f9d2 
Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com>
@ShaharNaveh
Fix dup
403175d
@fanninpm
Copy link
Contributor

fanninpm commented Mar 18, 2026

@coderabbitai review

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 18, 2026

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai[bot]
coderabbitai bot reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 561-564: The workflow has the `steps` key incorrectly nested under
the `permissions` block (see `permissions:` and `steps:`), which makes the job
invalid; fix this by unindenting/moving the `steps:` section so it is a sibling
of `permissions:` (not a child), ensuring `permissions:`, `security-events:
write`, and the `steps:` list (including the `actions/checkout@de0fac2e...`
entry) are at the same indentation level so the `security-lint` job has a valid
`steps` section.
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 43ab2e9c-8ea1-4f41-af8e-355e17c45996

📥 Commits

Reviewing files that changed from the base of the PR and between ee43719 and 403175d.

📒 Files selected for processing (1)
  • .github/workflows/ci.yaml

@fanninpm
Copy link
Contributor

fanninpm commented Mar 18, 2026

@ShaharNaveh we might want to consider adding actionlint to the CI suite.

@ShaharNaveh
Copy link
Contributor Author

ShaharNaveh commented Mar 18, 2026

@ShaharNaveh we might want to consider adding actionlint to the CI suite.

Sure, we can do both:)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@youknowone youknowone Awaiting requested review from youknowone

@fanninpm fanninpm Awaiting requested review from fanninpm

@coolreader18 coolreader18 Awaiting requested review from coolreader18

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

skip:ci Skip running the ci

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ShaharNaveh @fanninpm