diff options
| author | Daniel Hast <hast.daniel@protonmail.com> | 2026-03-07 16:06:54 -0500 |
|---|---|---|
| committer | Daniel Hast <hast.daniel@protonmail.com> | 2026-03-09 21:40:50 -0400 |
| commit | ed767a6a69c7cf218b6473f4acbc31c569f3fed2 (patch) | |
| tree | ed75803e0d96fe0178d8b2278452683521ab6b3d /.github | |
| parent | 3572bf7e16441e38d943b02764eb163db722a7a7 (diff) | |
ci: ignore known Zizmor findings
This avoids false positives from existing uses of `GITHUB_ENV` and
`pull_request_target` that are safe, as well as from cache usage in a
workflow that doesn't produce release artifacts.
Diffstat (limited to '.github')
| -rw-r--r-- | .github/actions/cache/action.yml | 8 | ||||
| -rw-r--r-- | .github/actions/setup/action.yml | 2 | ||||
| -rw-r--r-- | .github/zizmor.yml | 9 |
3 files changed, 14 insertions, 5 deletions
diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml index 591bb67e66..f48269e0d9 100644 --- a/.github/actions/cache/action.yml +++ b/.github/actions/cache/action.yml @@ -3,22 +3,22 @@ description: "This action caches neovim dependencies" runs: using: "composite" steps: - - run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV + - run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - - run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV + - run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - if: ${{ matrix }} env: MATRIX_JOIN: ${{ join(matrix.*, '-') }} - run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV + run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - if: ${{ matrix.build }} env: MATRIX_JOIN: ${{ join(matrix.build.*, '-') }} - run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV + run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env] shell: bash - id: image diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index b3b1d15845..a3ad2e98c5 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -10,7 +10,7 @@ runs: steps: - name: Set $BIN_DIR shell: bash - run: echo "$BIN_DIR" >> $GITHUB_PATH + run: echo "$BIN_DIR" >> $GITHUB_PATH # zizmor: ignore[github-env] - if: ${{ runner.os != 'Windows' }} name: Set ulimit diff --git a/.github/zizmor.yml b/.github/zizmor.yml index 4241b397b0..2976bbe3fa 100644 --- a/.github/zizmor.yml +++ b/.github/zizmor.yml @@ -1,4 +1,13 @@ rules: + cache-poisoning: + ignore: + - test.yml + dangerous-triggers: + ignore: + - backport.yml + - labeler_pr.yml + - reviewers_add.yml + - reviewers_remove.yml unpinned-uses: config: policies: |