Skip to content

fix: remediate latest zizmor findings, fix supplying zizmor config #1101

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 4, 2025
Merged

fix: remediate latest zizmor findings, fix supplying zizmor config #1101

merged 1 commit into from
Jul 4, 2025
+76 −31

Conversation

iainlane
Copy link
Member

@iainlane iainlane commented Jul 3, 2025
edited
Loading

The current version of Zizmor finds some potential template injection issues. We can fix these by indirecting via the env, or in a couple of cases by adding ignore comments where we can't really fix the issue.

Something happened to break our config discovery. What we do is download a default config file from this repo, write it to a temporary file, set that file's path as ZIZMOR_CONFIG, and then pass this as --config if it's set. Possibly as the result of a version bump, Zizmor started handling ZIZMOR_CONFIG differently. An empty string here is treated as a file to search for, which doesn't work, and so we get errors.

A fix for this last one is to use a different variable name that doesn't collide with the one Zizmor itself is using. Rename to ZIZMOR_CONFIG_PATH accordingly.

I've sent a fix for the issue upstream too: zizmorcore/zizmor#1010

@iainlane iainlane force-pushed the iainlane/zizmor-fix branch from 2a09e35 to 31b616f Compare July 3, 2025 10:11
@iainlane
fix: remediate latest zizmor findings, fix supplying zizmor config
0100804 
The current version of Zizmor finds some potential template injection
issues. We can fix these by indirecting via the `env`, or in a couple of
cases by adding ignore comments where we can't really fix the issue.

Something happened to break our config discovery. What we do is download
a default config file from this repo, write it to a temporary file, set
that file's path as `ZIZMOR_CONFIG`, and then pass this as `--config` if
it's set. Possibly as the result of a version bump, Zizmor started
handling `ZIZMOR_CONFIG` differently. An empty string here is treated as
a file to search for, which doesn't work, and so we get errors.

A fix for this last one is to use a different variable name that doesn't
collide with the one Zizmor itself is using. Rename to
`ZIZMOR_CONFIG_PATH` accordingly.
@iainlane iainlane force-pushed the iainlane/zizmor-fix branch from 31b616f to 0100804 Compare July 3, 2025 12:43
@iainlane iainlane changed the title fix: remediate latest zizmor findings fix: remediate latest zizmor findings, fix supplying zizmor config Jul 3, 2025
@iainlane iainlane marked this pull request as ready for review July 3, 2025 12:57
@iainlane iainlane requested a review from a team as a code owner July 3, 2025 12:57
@zerok zerok added this pull request to the merge queue Jul 4, 2025
@zerok zerok mentioned this pull request Jul 4, 2025
Closed
Merged via the queue into main with commit 712c599 Jul 4, 2025
67 checks passed
@zerok zerok deleted the iainlane/zizmor-fix branch July 4, 2025 05:26
This was referenced Jul 4, 2025
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zerok zerok zerok approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iainlane @zerok