Skip to content

chore: zizmor ruleset pilot branch (#326)#155

Open
isaiah-grafana wants to merge 5 commits into
mainfrom
test/zizmor-vendor-excludes-326
Open

chore: zizmor ruleset pilot branch (#326)#155
isaiah-grafana wants to merge 5 commits into
mainfrom
test/zizmor-vendor-excludes-326

Conversation

@isaiah-grafana
Copy link
Copy Markdown
Contributor

@isaiah-grafana isaiah-grafana commented Apr 21, 2026
edited
Loading

Summary

Recreates test/zizmor-vendor-excludes-326 as a branch on grafana/security-github-actions (same-repo PR into main), not from a fork head.

self-zizmor.yaml matches main: uses: grafana/shared-workflows/.../reusable-zizmor.yml@5cec40b (no isaiah-grafana fork pin).

Closes the fork-based workflow from the prior PR; org rulesets should point at this repo + branch.

Ref: https://github.com/grafana/security-appsec/issues/326

@isaiah-grafana isaiah-grafana requested a review from a team as a code owner April 21, 2026 20:17
@isaiah-grafana isaiah-grafana force-pushed the test/zizmor-vendor-excludes-326 branch from e8b4e2a to d224d87 Compare April 21, 2026 20:18
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 21, 2026
View reviewed changes
Comment thread .github/workflows/self-zizmor.yaml Fixed
isaiah-grafana added a commit that referenced this pull request May 19, 2026
@isaiah-grafana
merge: sync pilot branch with main (keep #326 WIP pin)
ad9544c 
Brings in main (e.g. semgrep workflow) so PR #155 is conflict-free.
Does not merge the pilot into main.
@isaiah-grafana isaiah-grafana force-pushed the test/zizmor-vendor-excludes-326 branch 2 times, most recently from c18a995 to fb6a5cf Compare May 19, 2026 17:54
@isaiah-grafana
test: pin zizmor to shared-workflows #326 branch
7762471 
Uses feat/zizmor-collection-ignore-326-v2-wip @ b3b177b. Adds a small
vendor-fixture tree and zizmor-collection-ignore for the ruleset pilot.
@isaiah-grafana isaiah-grafana force-pushed the test/zizmor-vendor-excludes-326 branch from fb6a5cf to 7762471 Compare May 19, 2026 17:54
@isaiah-grafana isaiah-grafana force-pushed the test/zizmor-vendor-excludes-326 branch from cff5b6a to ff9cda7 Compare May 19, 2026 19:09
@isaiah-grafana isaiah-grafana mentioned this pull request May 19, 2026
Open
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 19, 2026

Semgrep Findings

1 finding(s) detected.

Severity Rule File Message
🔵 LOW deny-actions-create-github-app-token .github/workflows/periodic-zizmor.yaml:51 Do not use actions/create-github-app-token. Use the organization's approved alternative for generating GitHub App tokens.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@isaiah-grafana @github-advanced-security