From 77624719de7ef639f0f9cd46eb921ccb413b3871 Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 19 May 2026 12:54:43 -0500 Subject: [PATCH 1/5] test: pin zizmor to shared-workflows #326 branch Uses feat/zizmor-collection-ignore-326-v2-wip @ b3b177b. Adds a small vendor-fixture tree and zizmor-collection-ignore for the ruleset pilot. --- .github/workflows/self-zizmor.yaml | 3 ++- .github/zizmor-collection-ignore | 2 ++ vendor-fixture/.github/workflows/should-not-scan.yml | 7 +++++++ 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 .github/zizmor-collection-ignore create mode 100644 vendor-fixture/.github/workflows/should-not-scan.yml diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml index f8bb8488..b05c0ccf 100644 --- a/.github/workflows/self-zizmor.yaml +++ b/.github/workflows/self-zizmor.yaml @@ -45,7 +45,8 @@ jobs: - zizmor-check if: ${{ needs.zizmor-check.outputs.found-files == 'true' }} - uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@e6c831d1106c11504502ef164409b2d5479daefe + # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2-wip @ b3b177b + uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@b3b177b0318e021391347093fed93ab4ade0cf7e with: runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }} fail-severity: high diff --git a/.github/zizmor-collection-ignore b/.github/zizmor-collection-ignore new file mode 100644 index 00000000..014e71cd --- /dev/null +++ b/.github/zizmor-collection-ignore @@ -0,0 +1,2 @@ +# security-appsec#326 +vendor-fixture diff --git a/vendor-fixture/.github/workflows/should-not-scan.yml b/vendor-fixture/.github/workflows/should-not-scan.yml new file mode 100644 index 00000000..d17f8ccb --- /dev/null +++ b/vendor-fixture/.github/workflows/should-not-scan.yml @@ -0,0 +1,7 @@ +name: vendor fixture +on: workflow_dispatch +jobs: + noop: + runs-on: ubuntu-latest + steps: + - run: echo ok From 1675fa71b16d178293ee3ddf9369ee4a2d30c68d Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 19 May 2026 13:13:08 -0500 Subject: [PATCH 2/5] test: bump shared-workflows pin to 59e511f --- .github/workflows/self-zizmor.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml index b05c0ccf..fa5e1a1d 100644 --- a/.github/workflows/self-zizmor.yaml +++ b/.github/workflows/self-zizmor.yaml @@ -45,8 +45,8 @@ jobs: - zizmor-check if: ${{ needs.zizmor-check.outputs.found-files == 'true' }} - # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2-wip @ b3b177b - uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@b3b177b0318e021391347093fed93ab4ade0cf7e + # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2-wip + uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@59e511f672e096c605f4c4da494da6b8091c0a92 with: runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }} fail-severity: high From ff9cda7728eea248ab545734b22697dd2c2f0894 Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 19 May 2026 14:08:59 -0500 Subject: [PATCH 3/5] test: pin zizmor to shared-workflows #1944 (1f447f2) --- .github/workflows/self-zizmor.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml index fa5e1a1d..0bfe175a 100644 --- a/.github/workflows/self-zizmor.yaml +++ b/.github/workflows/self-zizmor.yaml @@ -45,8 +45,8 @@ jobs: - zizmor-check if: ${{ needs.zizmor-check.outputs.found-files == 'true' }} - # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2-wip - uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@59e511f672e096c605f4c4da494da6b8091c0a92 + # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2 (PR #1944) + uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@1f447f273db6a24663c2daf4e1876f1e4298e93b with: runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }} fail-severity: high From 57c97d0a17be0b8594d269cdaa60d6c524f8bfae Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 19 May 2026 17:05:08 -0500 Subject: [PATCH 4/5] test(zizmor): pin reusable-zizmor@664db52 for collection-ignore e2e --- .github/workflows/self-zizmor.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml index 0bfe175a..4a72ff47 100644 --- a/.github/workflows/self-zizmor.yaml +++ b/.github/workflows/self-zizmor.yaml @@ -45,8 +45,8 @@ jobs: - zizmor-check if: ${{ needs.zizmor-check.outputs.found-files == 'true' }} - # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2 (PR #1944) - uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@1f447f273db6a24663c2daf4e1876f1e4298e93b + # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2 (PR #1945) + uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@664db527638a19b4f7a8aa175ec2eff9033fb5cd with: runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }} fail-severity: high From 66929740e6a173bff2e20b8e2fba40079da0b773 Mon Sep 17 00:00:00 2001 From: Isaiah Grigsby Date: Tue, 19 May 2026 17:41:53 -0500 Subject: [PATCH 5/5] test(zizmor): pin reusable-zizmor@a0ded69 (shared-workflows #1945) --- .github/workflows/self-zizmor.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml index 4a72ff47..09dedde8 100644 --- a/.github/workflows/self-zizmor.yaml +++ b/.github/workflows/self-zizmor.yaml @@ -46,7 +46,7 @@ jobs: if: ${{ needs.zizmor-check.outputs.found-files == 'true' }} # #326 pilot — shared-workflows feat/zizmor-collection-ignore-326-v2 (PR #1945) - uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@664db527638a19b4f7a8aa175ec2eff9033fb5cd + uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@a0ded699096e4939468a229648b0268340a90c99 with: runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }} fail-severity: high