From 2b917719f059fca27b4b114e8b325daed9a2aa88 Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 3 Mar 2026 10:21:14 -0800 Subject: [PATCH 1/2] ci: auto-enable zizmor GHAS upload for public repos Move advanced-security auto-detection into zizmor.yml so any caller benefits. Changes the input type from boolean to string (default "") to distinguish "not set" from "false". When unset, enables GHAS upload for public repos via github.repository_visibility; explicit "true"/"false" overrides still work via boolean coercion. Co-Authored-By: Claude --- .github/workflows/actionci.yml | 6 +++--- .github/workflows/ci.yml | 2 +- .github/workflows/zizmor.yml | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml index 0a6a8f4..5521a92 100644 --- a/.github/workflows/actionci.yml +++ b/.github/workflows/actionci.yml @@ -14,10 +14,10 @@ on: type: boolean default: true zizmor-advanced-security: - description: Upload zizmor results to GitHub Advanced Security + description: Upload zizmor results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override. required: false - type: boolean - default: false + type: string + default: "" permissions: contents: read diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 95b39cb..45b8c85 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -24,7 +24,7 @@ jobs: uses: ./.github/workflows/actionlint.yml zizmor: - name: Scan GitHub workflows + name: Security Scan GitHub workflows uses: ./.github/workflows/zizmor.yml frizbee: diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 65e9e21..e73a7e0 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -3,9 +3,9 @@ on: workflow_call: inputs: advanced-security: - description: Upload results to GitHub Advanced Security - type: boolean - default: false + description: Upload results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override. + type: string + default: "" jobs: zizmor: @@ -20,4 +20,4 @@ jobs: with: min-severity: medium min-confidence: medium - advanced-security: ${{ inputs.advanced-security }} + advanced-security: ${{ (inputs.advanced-security == '' && github.repository_visibility == 'public') || inputs.advanced-security == 'true' }} From caf942401f96cd50bbdd419ed95ae753aed6e55e Mon Sep 17 00:00:00 2001 From: max furman Date: Tue, 3 Mar 2026 10:36:21 -0800 Subject: [PATCH 2/2] ci: replace direct workflow calls with actionci in ci.yml Replace the three separate actionlint, zizmor, and frizbee jobs with a single actionci job that delegates to actionci.yml. Add security-events: write permission so actionci.yml can propagate it to the zizmor job for SARIF upload on this public repo. Co-Authored-By: Claude --- .github/workflows/ci.yml | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 45b8c85..5f752a6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -19,17 +19,11 @@ concurrency: cancel-in-progress: true jobs: - actionlint: - name: Lint GitHub workflows - uses: ./.github/workflows/actionlint.yml - - zizmor: - name: Security Scan GitHub workflows - uses: ./.github/workflows/zizmor.yml - - frizbee: - name: Check action pinning - uses: ./.github/workflows/frizbee.yml + actionci: + uses: ./.github/workflows/actionci.yml + permissions: + contents: read + security-events: write lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid name: Lint dummy app