13
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-07-04 02:19:32 +00:00
Commit graph

3 commits

Author SHA1 Message Date
jdx
f91a09d9ef
fix(ci): resolve zizmor findings (#503) 2026-06-04 12:07:47 -05:00
renovate[bot]
76f84078a8
chore(deps): update zizmorcore/zizmor-action action to v0.5.4 (#488)
Some checks failed
Check dist/ / Check dist/ (push) Waiting to run
Continuous Integration / TypeScript Tests (push) Waiting to run
CodeQL / Analyze (push) Waiting to run
release-plz / release-plz (push) Waiting to run
Test Redacted Environment Variables / test-redacted-env (push) Waiting to run
build-test / build (push) Waiting to run
build-test / alpine (push) Waiting to run
build-test / macos (push) Waiting to run
build-test / ubuntu (push) Waiting to run
build-test / windows (push) Waiting to run
build-test / specific_version (push) Waiting to run
build-test / checksum_failure (push) Waiting to run
build-test / custom_cache_key (push) Waiting to run
build-test / fetch_from_github (push) Waiting to run
build-test / final (push) Blocked by required conditions
zizmor / zizmor (push) Has been cancelled
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
|
[zizmorcore/zizmor-action](https://redirect.github.com/zizmorcore/zizmor-action)
| action | patch | `v0.5.3` → `v0.5.6` |

---

### Release Notes

<details>
<summary>zizmorcore/zizmor-action (zizmorcore/zizmor-action)</summary>

###
[`v0.5.6`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.6)

[Compare
Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.5...v0.5.6)

- 1.25.2 is now available via the action
- 1.25.2 is now the default version of zizmor used by the action

###
[`v0.5.5`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.5)

[Compare
Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.4...v0.5.5)

This is a no-op release.

###
[`v0.5.4`](https://redirect.github.com/zizmorcore/zizmor-action/releases/tag/v0.5.4)

[Compare
Source](https://redirect.github.com/zizmorcore/zizmor-action/compare/v0.5.3...v0.5.4)

- 1.25.0 is now available via the action
- 1.25.0 is now the default version of zizmor used by the action

</details>

---

### Configuration

📅 **Schedule**: (in timezone America/Chicago)

- Branch creation
  - Only on Friday (`* * * * 5`)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/jdx/mise-action).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
2026-05-28 16:56:42 +00:00
jdx
46bb674500
chore(ci): add zizmor workflow for github actions security analysis (#471)
Adds [zizmor](https://github.com/zizmorcore/zizmor) to audit GitHub
Actions workflows for security issues. Runs on push to main and on PRs
that change `.github/workflows/**`. Fails CI on any finding.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Mostly CI/workflow hardening, but it also changes release automation
(`postversion.sh`) and workflow permissions/credentials behavior, which
could break tagging/publishing if misconfigured.
> 
> **Overview**
> Adds a new `zizmor` workflow that runs on PRs/pushes touching
`.github/workflows/**` to security-audit workflows.
> 
> Hardens existing workflows by defaulting to least-privilege
`permissions`, setting `actions/checkout` to `persist-credentials:
false`, and adjusting related behavior (e.g., `scripts/postversion.sh`
now runs `gh auth setup-git` so `git push` still works; `ci.yml`
disables `mise-action` caching; `test.yml` avoids interpolating
`steps.bad.outcome` inside a shell string by passing it via env).
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
d878aee510. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 15:00:12 -05:00