From 3448f86ecd0b086c5fa5bc9ba5f4b6b88ec54e46 Mon Sep 17 00:00:00 2001 From: sean wibisono Date: Fri, 3 Jul 2026 10:47:01 +1000 Subject: [PATCH] UID2-7011: gate zizmor scan on High-severity findings Flip the dogfood caller from report-only (fail_severity: never) to blocking on High (fail_severity: high). The repo reached zero High-severity findings in PRs #249-#251 (95 template-injection findings fixed) and the fixed release path was verified end-to-end via a Snapshot canary on uid2-attestation-api, so a red check from here on means a genuine new High finding - a regression gate, per the UID2-7011 rollout plan. Co-Authored-By: Claude Fable 5 --- .github/workflows/zizmor.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml index 3a598bf3..589e7df7 100644 --- a/.github/workflows/zizmor.yaml +++ b/.github/workflows/zizmor.yaml @@ -16,4 +16,6 @@ jobs: zizmor: uses: ./.github/workflows/shared-zizmor-scan.yaml with: - fail_severity: never # report-only for now; set to `high` later to gate on High-severity + # Gate on High-severity findings: the repo reached zero High in PRs + # #249-#251, so a red check now means a genuine new High finding. + fail_severity: high