From 77a84466965272735e3389349216b81a56417bf7 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 22 May 2026 17:51:58 +0000 Subject: [PATCH 1/9] chore(deps): update all non-major dependencies --- .github/workflows/ci.yaml | 2 +- .github/workflows/standard-build.yaml | 26 ++++++++++++------------- .github/workflows/standard-lint.yaml | 16 +++++++-------- .github/workflows/standard-release.yaml | 4 ++-- Dockerfile | 2 +- 5 files changed, 25 insertions(+), 25 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2693baa..620193a 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -101,7 +101,7 @@ jobs: docker info -f '{{ .DriverStatus }}' - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 - name: Download build image uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml index b9e224b..4532854 100644 --- a/.github/workflows/standard-build.yaml +++ b/.github/workflows/standard-build.yaml @@ -118,7 +118,7 @@ jobs: image-slug: ${{ steps.slugify-image.outputs.slug }} steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -141,7 +141,7 @@ jobs: docker info -f '{{ .DriverStatus }}' - name: Set up Docker Buildx - uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 with: # zizmor: runtime artifacts potentially vulnerable to a cache poisoning attack cache-binary: false @@ -150,7 +150,7 @@ jobs: uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 if: ${{ github.event_name != 'pull_request' || (github.event.pull_request.base.repo.full_name == github.event.pull_request.head.repo.full_name) }} with: registry: ghcr.io @@ -159,7 +159,7 @@ jobs: - name: Container image meta id: image_meta - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | ${{ inputs.image }} @@ -169,7 +169,7 @@ jobs: - name: Container meta for the test image id: tests_image_meta if: ${{ inputs.enable-build-test-layer == true }} - uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + uses: docker/metadata-action@80c7e94dd9b9319bd5eb7a0e0fe9291e23a2a2e9 # v6.1.0 with: images: | ${{ inputs.image }}-test @@ -178,7 +178,7 @@ jobs: - name: Build unit test image layer if: ${{ inputs.enable-build-test-layer == true }} id: build_test - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ${{ inputs.build-context }} # zizmor: ignore[template-injection] push: false @@ -209,7 +209,7 @@ jobs: - name: Build and push image id: build - uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + uses: docker/build-push-action@f9f3042f7e2789586610d6e8b85c8f03e5195baf # v7.2.0 with: context: ${{ inputs.build-context }} # zizmor: ignore[template-injection] # when in a PR, save the image as a tar archive @@ -349,12 +349,12 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -382,12 +382,12 @@ jobs: packages: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - name: Login to GitHub Container Registry - uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # v4.2.0 with: registry: ghcr.io username: ${{ github.actor }} @@ -421,7 +421,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -451,7 +451,7 @@ jobs: contents: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 4fbac6e..6754e74 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -9,7 +9,7 @@ defaults: env: # renovate: datasource=pypi depName=zizmor - ZIZMOR_VERSION: 1.24.1 + ZIZMOR_VERSION: 1.25.2 on: workflow_call: @@ -69,7 +69,7 @@ jobs: pull-requests: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs @@ -83,7 +83,7 @@ jobs: id: ml # You can override MegaLinter flavor used to have faster performances # More info at https://megalinter.io/latest/flavors/ - uses: oxsecurity/megalinter@8fbdead70d1409964ab3d5afa885e18ee85388bb # v9.4.0 + uses: oxsecurity/megalinter@0e3ce9b9c8c10effb9b269509cc47ca17cae31c7 # v9.5.0 env: VALIDATE_ALL_CODEBASE: "true" # only try to post PR comments if it's not a fork @@ -103,7 +103,7 @@ jobs: - name: Upload MegaLinter scan results to GitHub Security tab if: ${{ always() }} - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: "megalinter-reports/megalinter-report.sarif" @@ -196,7 +196,7 @@ jobs: # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/init@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: languages: ${{ matrix.language }} # If you wish to specify custom queries, you can do so here or in a config file. @@ -209,7 +209,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/autobuild@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 # ℹī¸ Command-line programs to run using the OS shell. # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun @@ -222,7 +222,7 @@ jobs: # ./location_of_script_within_repo/buildscript.sh - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: category: "/language:${{matrix.language}}" @@ -266,7 +266,7 @@ jobs: ZIZMOR_CONFIG: /tmp/zizmor-standard-lint-defaults.yaml - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4 + uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: sarif_file: results.sarif category: zizmor diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index e356161..a6d50a8 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -39,11 +39,11 @@ jobs: issues: write steps: - name: Harden Runner - uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1 + uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4 with: egress-policy: audit # change to 'egress-policy: block' after couple of runs - - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1 + - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0 id: app-token if: ${{ inputs.use-app-token }} with: diff --git a/Dockerfile b/Dockerfile index 1ae06c2..6e07254 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM docker.io/library/python:3.14.4-slim@sha256:2ca02f32b4d9d893863367ce07ec1972819f476dd38d8612f2a9cb6a41cbb727 AS base +FROM docker.io/library/python:3.14.5-slim@sha256:c845af9399020c7e562969a13689e929074a10fd057acd1b1fad06a2fb068e97 AS base WORKDIR /app COPY hello_world.py . From 1ae81c16c54fb2eebaeef22bdaffd5c7353ad615 Mon Sep 17 00:00:00 2001 From: chgl <5307555+chgl@users.noreply.github.com> Date: Sun, 24 May 2026 12:40:51 +0200 Subject: [PATCH 2/9] chore: rm zizmor as its part of megalitner now --- .github/workflows/standard-lint.yaml | 67 +++++++--------------------- 1 file changed, 15 insertions(+), 52 deletions(-) diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 6754e74..84c9d28 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -78,6 +78,19 @@ jobs: with: persist-credentials: false + - name: Create standard zizmor rules file + env: + ZIZMOR_CONFIG_YAML: | + rules: + undocumented-permissions: + disable: true + concurrency-limits: + disable: true + superfluous-actions: + disable: true + run: | + echo "${ZIZMOR_CONFIG_YAML}" > /tmp/zizmor-standard-lint-defaults.yaml + # MegaLinter - name: MegaLinter id: ml @@ -90,6 +103,8 @@ jobs: GITHUB_COMMENT_REPORTER: ${{ !github.event.pull_request.head.repo.fork }} GITHUB_TOKEN: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] SARIF_REPORTER: "true" + ACTION_ZIZMOR_CONFIG_FILE: /tmp/zizmor-standard-lint-defaults.yaml + ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN # Upload MegaLinter artifacts - name: Archive production artifacts @@ -225,55 +240,3 @@ jobs: uses: github/codeql-action/analyze@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 with: category: "/language:${{matrix.language}}" - - zizmor: - name: zizmor scan - runs-on: ubuntu-24.04 - if: ${{ github.event_name == 'pull_request' }} - permissions: - security-events: write - contents: read - actions: read - steps: - - name: Checkout Code - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - - name: Install the latest version of uv - uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0 - with: - enable-cache: false - - - name: Create standard zizmor rules file - env: - ZIZMOR_CONFIG_YAML: | - rules: - undocumented-permissions: - disable: true - concurrency-limits: - disable: true - superfluous-actions: - disable: true - run: | - echo "${ZIZMOR_CONFIG_YAML}" > /tmp/zizmor-standard-lint-defaults.yaml - - - name: Run zizmor (sarif) - run: | - uvx "zizmor@${ZIZMOR_VERSION}" --pedantic --format sarif . > results.sarif - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ZIZMOR_CONFIG: /tmp/zizmor-standard-lint-defaults.yaml - - - name: Upload SARIF file - uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 - with: - sarif_file: results.sarif - category: zizmor - - - name: Run zizmor (fail on findings) - run: | - uvx "zizmor@${ZIZMOR_VERSION}" --verbose --pedantic --format plain . - env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} - ZIZMOR_CONFIG: /tmp/zizmor-standard-lint-defaults.yaml From ee055f25586226b5d9c3209bafb4cd98a2895d5a Mon Sep 17 00:00:00 2001 From: chgl <5307555+chgl@users.noreply.github.com> Date: Sun, 24 May 2026 12:48:28 +0200 Subject: [PATCH 3/9] config --- .github/workflows/standard-lint.yaml | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 84c9d28..483bf6f 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -89,7 +89,7 @@ jobs: superfluous-actions: disable: true run: | - echo "${ZIZMOR_CONFIG_YAML}" > /tmp/zizmor-standard-lint-defaults.yaml + echo "${ZIZMOR_CONFIG_YAML}" > ./zizmor-standard-lint-defaults.yaml # MegaLinter - name: MegaLinter @@ -103,8 +103,9 @@ jobs: GITHUB_COMMENT_REPORTER: ${{ !github.event.pull_request.head.repo.fork }} GITHUB_TOKEN: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] SARIF_REPORTER: "true" - ACTION_ZIZMOR_CONFIG_FILE: /tmp/zizmor-standard-lint-defaults.yaml + ACTION_ZIZMOR_CONFIG_FILE: ./zizmor-standard-lint-defaults.yaml ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN + REPOSITORY_OSV_SCANNER_ARGUMENTS: --allow-no-lockfiles # Upload MegaLinter artifacts - name: Archive production artifacts From 267fe35d5b043120e6613464c6053e053cadc8a0 Mon Sep 17 00:00:00 2001 From: chgl <5307555+chgl@users.noreply.github.com> Date: Sun, 24 May 2026 12:56:02 +0200 Subject: [PATCH 4/9] lint --- .github/workflows/standard-lint.yaml | 4 ++-- .github/workflows/standard-release.yaml | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 483bf6f..2872a56 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -89,7 +89,7 @@ jobs: superfluous-actions: disable: true run: | - echo "${ZIZMOR_CONFIG_YAML}" > ./zizmor-standard-lint-defaults.yaml + echo "${ZIZMOR_CONFIG_YAML}" > ./.zizmor-standard-lint-defaults.yaml # MegaLinter - name: MegaLinter @@ -103,7 +103,7 @@ jobs: GITHUB_COMMENT_REPORTER: ${{ !github.event.pull_request.head.repo.fork }} GITHUB_TOKEN: ${{ secrets.github-token }} # zizmor: ignore[secrets-outside-env] SARIF_REPORTER: "true" - ACTION_ZIZMOR_CONFIG_FILE: ./zizmor-standard-lint-defaults.yaml + ACTION_ZIZMOR_CONFIG_FILE: ./.zizmor-standard-lint-defaults.yaml ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES: GITHUB_TOKEN REPOSITORY_OSV_SCANNER_ARGUMENTS: --allow-no-lockfiles diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index a6d50a8..b08e38b 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -47,9 +47,10 @@ jobs: id: app-token if: ${{ inputs.use-app-token }} with: - app-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] + client-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] private-key: ${{ secrets.app-token-private-key }} # zizmor: ignore[secrets-outside-env] owner: ${{ github.repository_owner }} + repositories: ${{ github.repository }} - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 8475af2f0ad9f5174ae4b1316cb61d8b0e4f7901 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 26 May 2026 14:39:17 +0000 Subject: [PATCH 5/9] fix: scope GitHub App token to current repository only Agent-Logs-Url: https://github.com/chgl/.github/sessions/3639cf87-a05e-431b-9905-afdcde32d5ff Co-authored-by: chgl <5307555+chgl@users.noreply.github.com> --- .github/workflows/standard-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index b08e38b..dfd05c8 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -50,7 +50,7 @@ jobs: client-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] private-key: ${{ secrets.app-token-private-key }} # zizmor: ignore[secrets-outside-env] owner: ${{ github.repository_owner }} - repositories: ${{ github.repository }} + repositories: ${{ github.event.repository.name }} - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From d06fc3ee716b844ea123adde5e69086cdd767f2f Mon Sep 17 00:00:00 2001 From: chgl Date: Tue, 26 May 2026 16:43:48 +0200 Subject: [PATCH 6/9] Update repository reference in standard-release.yaml --- .github/workflows/standard-release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index dfd05c8..b08e38b 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -50,7 +50,7 @@ jobs: client-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] private-key: ${{ secrets.app-token-private-key }} # zizmor: ignore[secrets-outside-env] owner: ${{ github.repository_owner }} - repositories: ${{ github.event.repository.name }} + repositories: ${{ github.repository }} - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 3abd322269622f246993fcab2cf5606cb6eb5903 Mon Sep 17 00:00:00 2001 From: chgl Date: Tue, 26 May 2026 16:46:01 +0200 Subject: [PATCH 7/9] permissions --- .github/workflows/standard-release.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index b08e38b..117a299 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -51,6 +51,9 @@ jobs: private-key: ${{ secrets.app-token-private-key }} # zizmor: ignore[secrets-outside-env] owner: ${{ github.repository_owner }} repositories: ${{ github.repository }} + permission-contents: write + permission-pull-requests: write + permission-issues: write - name: Checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 From 73cedd0a403ce65d8362be1655fc59f28deeb82d Mon Sep 17 00:00:00 2001 From: chgl Date: Tue, 26 May 2026 17:25:29 +0200 Subject: [PATCH 8/9] repos --- .github/workflows/standard-release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml index 117a299..3074bbe 100644 --- a/.github/workflows/standard-release.yaml +++ b/.github/workflows/standard-release.yaml @@ -49,7 +49,6 @@ jobs: with: client-id: ${{ secrets.app-token-app-id }} # zizmor: ignore[secrets-outside-env] private-key: ${{ secrets.app-token-private-key }} # zizmor: ignore[secrets-outside-env] - owner: ${{ github.repository_owner }} repositories: ${{ github.repository }} permission-contents: write permission-pull-requests: write From 75ec35fa86d78762d29495acfe4cf129ae93a08f Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 26 May 2026 15:33:06 +0000 Subject: [PATCH 9/9] fix: add document start marker and strip trailing blank line in zizmor config Agent-Logs-Url: https://github.com/chgl/.github/sessions/167d8081-7fc6-4ee1-aa66-25eb846d6323 Co-authored-by: chgl <5307555+chgl@users.noreply.github.com> --- .github/workflows/standard-lint.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml index 2872a56..ef2cb56 100644 --- a/.github/workflows/standard-lint.yaml +++ b/.github/workflows/standard-lint.yaml @@ -80,7 +80,8 @@ jobs: - name: Create standard zizmor rules file env: - ZIZMOR_CONFIG_YAML: | + ZIZMOR_CONFIG_YAML: |- + --- rules: undocumented-permissions: disable: true