mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-11-09 16:18:34 +01:00
1a9867167d
`zizmor` is a tool that uses static analysis to find potential security issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub made a CI system so complicated that tools like this were created, but I digress.) Given our increase in GHA usage recently, I think this is a good step towards keeping our security posture in tip-top shape. (It also keeps with the theme of automating as many things as possible!) The rule related to the usages of dangerous-triggers have been disabled to avoid false-positives. Explanations about the usage of `pull_request_target` and expectations around its usage can be found in `.github/workflows/README.md`. [0]: https://woodruffw.github.io/zizmor/ Co-authored-by: Thomas Gerbet <thomas@gerbet.me>
13 lines
546 B
YAML
13 lines
546 B
YAML
# This file defines the ignore rules for zizmor.
|
|
#
|
|
# For rules that contain a high number of false positives, prefer listing them here
|
|
# instead of adding ignore comments. Note that zizmor cannot ignore by line-within-a-string, so
|
|
# there are some ignore items that encompass multiple problems within one `run` block. An issue
|
|
# tracking this is at https://github.com/woodruffw/zizmor/issues/648.
|
|
#
|
|
# For more info, see the documentation: https://woodruffw.github.io/zizmor/usage/#ignoring-results
|
|
|
|
rules:
|
|
dangerous-triggers:
|
|
disable: true
|