nixpkgs

tobias/nixpkgs

Fork 0

mirror of https://github.com/NixOS/nixpkgs.git synced 2025-11-09 16:18:34 +01:00

Commit graph

Author	SHA1	Message	Date
Winter	1a9867167d	ci: add zizmor check and configuration `zizmor` is a tool that uses static analysis to find potential security issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub made a CI system so complicated that tools like this were created, but I digress.) Given our increase in GHA usage recently, I think this is a good step towards keeping our security posture in tip-top shape. (It also keeps with the theme of automating as many things as possible!) The rule related to the usages of dangerous-triggers have been disabled to avoid false-positives. Explanations about the usage of `pull_request_target` and expectations around its usage can be found in `.github/workflows/README.md`. [0]: https://woodruffw.github.io/zizmor/ Co-authored-by: Thomas Gerbet <thomas@gerbet.me>	2025-10-26 22:03:12 +01:00

Author

SHA1

Message

Date

Winter

1a9867167d

ci: add zizmor check and configuration

`zizmor` is a tool that uses static analysis to find potential security
issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub
made a CI system so complicated that tools like this were created, but
I digress.)

Given our increase in GHA usage recently, I think this is a good step
towards keeping our security posture in tip-top shape. (It also keeps
with the theme of automating as many things as possible!)

The rule related to the usages of dangerous-triggers have been disabled
to avoid false-positives. Explanations about the usage of
`pull_request_target` and expectations around its usage can be found in
`.github/workflows/README.md`.

[0]: https://woodruffw.github.io/zizmor/

Co-authored-by: Thomas Gerbet <thomas@gerbet.me>

2025-10-26 22:03:12 +01:00

1 commit