mirror of
https://github.com/jdx/mise-action.git
synced 2026-05-20 00:11:54 +00:00
ci(zizmor): scope push trigger and disable advanced-security
Address review feedback on PR #471. - Add paths filter to the push trigger so the job only runs when workflow files change on main (matches the pull_request trigger). - Set advanced-security: false on zizmor-action. With the default true, the action runs codeql-action/upload-sarif which needs security-events: write — the job only grants contents: read. Disabling it also makes zizmor's exit code drive CI failure, matching the "fails CI on any finding" intent. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
jdx
parent
9bc018758e
commit
350683121f
1 changed files with 3 additions and 0 deletions
3
.github/workflows/zizmor.yml
vendored
3
.github/workflows/zizmor.yml
vendored
|
|
@ -2,6 +2,7 @@ name: zizmor
|
|||
on:
|
||||
push:
|
||||
branches: [main]
|
||||
paths: ['.github/workflows/**']
|
||||
pull_request:
|
||||
paths: ['.github/workflows/**']
|
||||
|
||||
|
|
@ -17,3 +18,5 @@ jobs:
|
|||
with:
|
||||
persist-credentials: false
|
||||
- uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
|
||||
with:
|
||||
advanced-security: false
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue