From 8392d366cb3a209aa3b034b853dda50c655c58ce Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 25 Apr 2026 10:46:48 +0000 Subject: [PATCH 1/6] Initial plan From e114a64f1843b8c39e3c95800e093948bc19cd8d Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 25 Apr 2026 10:51:21 +0000 Subject: [PATCH 2/6] chore: add zizmor workflow for GitHub Actions security analysis Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/f5512c78-6b6d-46ca-adf5-4cf6045187b0 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .github/workflows/zizmor.yml diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml new file mode 100644 index 00000000..ae8667a6 --- /dev/null +++ b/.github/workflows/zizmor.yml @@ -0,0 +1,36 @@ +# Analyzes all GitHub Actions workflows for security issues using zizmor. +# docs: https://docs.zizmor.sh/ +name: Workflow Security Analysis (zizmor) + +on: + pull_request: + paths: + - ".github/workflows/**" + schedule: + # Every Saturday at 00:00 UTC + - cron: "0 0 * * 6" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +permissions: + contents: read + +jobs: + zizmor: + name: zizmor + runs-on: ubuntu-latest + timeout-minutes: 10 + steps: + - name: Checkout + # see https://github.com/actions/checkout + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 + with: + persist-credentials: false + - name: Run zizmor + # see https://github.com/zizmorcore/zizmor-action + uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 + with: + advanced-security: false + annotations: true From 51bc9a564ed249540d4d313b02bed112f609d665 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 25 Apr 2026 10:55:24 +0000 Subject: [PATCH 3/6] chore: add comment explaining advanced-security: false in zizmor workflow Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/b5733fc7-3e3a-4c62-a94c-54620cce9147 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .github/workflows/zizmor.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index ae8667a6..88b0acc0 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -32,5 +32,11 @@ jobs: # see https://github.com/zizmorcore/zizmor-action uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: + # false: emit findings as workflow-command annotations (::error file=…) rather than + # uploading a SARIF report to GitHub's Security tab. + # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS), + # both of which are unnecessary here and would violate the least-privilege policy. + # The two modes are mutually exclusive: advanced-security must be false for + # annotations to take effect. advanced-security: false annotations: true From 8ad0fd2c685f6178d4f4ddd5dfeb43588ee8f784 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Sat, 25 Apr 2026 13:02:12 +0200 Subject: [PATCH 4/6] Update .github/workflows/zizmor.yml Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 88b0acc0..6e2a0ea8 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -32,7 +32,7 @@ jobs: # see https://github.com/zizmorcore/zizmor-action uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: - # false: emit findings as workflow-command annotations (::error file=…) rather than + # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than # uploading a SARIF report to GitHub's Security tab. # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS), # both of which are unnecessary here and would violate the least-privilege policy. From ab7f3b560e861d08a834834b3bdc8df2eef20486 Mon Sep 17 00:00:00 2001 From: Copilot <198982749+Copilot@users.noreply.github.com> Date: Tue, 28 Apr 2026 15:56:42 +0200 Subject: [PATCH 5/6] [WIP] Add pre-commit hook for GitHub Actions compliance checking (#972) Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> --- .pre-commit-config.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 44a9bcc1..a6573d02 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -42,3 +42,7 @@ repos: entry: poetry run -- tox r -e bandit pass_filenames: false language: system + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.24.1 + hooks: + - id: zizmor From e064634384ecf02c08e6207da46c63a6b9999d0e Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Tue, 28 Apr 2026 16:05:16 +0200 Subject: [PATCH 6/6] Apply suggestion from @jkowalleck Signed-off-by: Jan Kowalleck --- .github/workflows/zizmor.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 6e2a0ea8..32589888 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -6,6 +6,9 @@ on: pull_request: paths: - ".github/workflows/**" + push: + paths: + - ".github/workflows/**" schedule: # Every Saturday at 00:00 UTC - cron: "0 0 * * 6"