From d4a573145921b94fe24760650ee8396c0ade742c Mon Sep 17 00:00:00 2001 From: andrewg-mira <89816284+andrewg-mira@users.noreply.github.com> Date: Tue, 3 Feb 2026 11:33:30 -0800 Subject: [PATCH 1/3] DEVOPS-977 default zizmor config to allow MiraGeoscience unpinned actions --- .github/actions/setup-zizmor-config/action.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/.github/actions/setup-zizmor-config/action.yml b/.github/actions/setup-zizmor-config/action.yml index f50e014..53b244e 100644 --- a/.github/actions/setup-zizmor-config/action.yml +++ b/.github/actions/setup-zizmor-config/action.yml @@ -6,12 +6,16 @@ runs: - name: Ensure default zizmor.yml shell: bash run: | - if [ ! -f zizmor.yml ]; then + if [[ ! -f zizmor.yml || $(wc -l < zizmor.yml) -eq 1 ]]; then echo "Creating a custom zizmor.yml configuration file for CI..." cat > zizmor.yml << 'EOF' rules: dependabot-cooldown: disable: true + unpinned-uses: + config: + policies: + MiraGeoscience/*: any EOF else echo "⊘ Found existing zizmor.yml configuration file" From d4c4c1846217e72450c22acf8b6e32f798486a67 Mon Sep 17 00:00:00 2001 From: andrewg-mira <89816284+andrewg-mira@users.noreply.github.com> Date: Fri, 27 Feb 2026 06:11:17 -0800 Subject: [PATCH 2/3] DEVOPS-977 patch zizmor.yml --- .../actions/setup-zizmor-config/action.yml | 27 ++++++++++--------- 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/.github/actions/setup-zizmor-config/action.yml b/.github/actions/setup-zizmor-config/action.yml index 53b244e..54266b1 100644 --- a/.github/actions/setup-zizmor-config/action.yml +++ b/.github/actions/setup-zizmor-config/action.yml @@ -6,17 +6,20 @@ runs: - name: Ensure default zizmor.yml shell: bash run: | - if [[ ! -f zizmor.yml || $(wc -l < zizmor.yml) -eq 1 ]]; then + # Create zizmor config if missing + if [[ ! -f zizmor.yml ]]; then echo "Creating a custom zizmor.yml configuration file for CI..." - cat > zizmor.yml << 'EOF' - rules: - dependabot-cooldown: - disable: true - unpinned-uses: - config: - policies: - MiraGeoscience/*: any - EOF - else - echo "⊘ Found existing zizmor.yml configuration file" + echo $'rules:\n' > zizmor.yml fi + + # Patch (merge) with extra config + echo "Patching zizmor.yml configuration file for CI..." + yq -i ' + .rules |= (. // {}) | + .rules."dependabot-cooldown" |= (. // {}) | + .rules."dependabot-cooldown".disable |= true | + .rules."unpinned-uses" |= (. // {}) | + .rules."unpinned-uses".config |= (. // {}) | + .rules."unpinned-uses".config.policies |= (. // {}) | + .rules."unpinned-uses".config.policies."MiraGeoscience/*" |= "ref-pin" + ' zizmor.yml From f25721c05b14dba7400603f85abb8e65d5e3ba56 Mon Sep 17 00:00:00 2001 From: andrewg-mira <89816284+andrewg-mira@users.noreply.github.com> Date: Mon, 16 Mar 2026 09:12:26 -0700 Subject: [PATCH 3/3] DEVOPS-977 temp: point at v3.1 --- .github/workflows/reusable-zizmor-annotate.yml | 2 +- .github/workflows/reusable-zizmor-security.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/reusable-zizmor-annotate.yml b/.github/workflows/reusable-zizmor-annotate.yml index 101f43c..8e80d69 100644 --- a/.github/workflows/reusable-zizmor-annotate.yml +++ b/.github/workflows/reusable-zizmor-annotate.yml @@ -36,7 +36,7 @@ jobs: persist-credentials: false - name: Setup Zizmor Config - uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v2 + uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v3.1 - name: Run Zizmor Security Scan uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d diff --git a/.github/workflows/reusable-zizmor-security.yml b/.github/workflows/reusable-zizmor-security.yml index 17def0c..84b4f80 100644 --- a/.github/workflows/reusable-zizmor-security.yml +++ b/.github/workflows/reusable-zizmor-security.yml @@ -35,7 +35,7 @@ jobs: persist-credentials: false - name: Setup Zizmor Config - uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v2 + uses: MiraGeoscience/CI-tools/.github/actions/setup-zizmor-config@v3.1 - name: Run Zizmor Security Scan uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d