-
-
Notifications
You must be signed in to change notification settings - Fork 345
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zizmor is all the rage these days, probably worth adding it #3154
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was going to do this when I read woodruffw's blog post about ultralytics, but got distracted by updating action versions... oops...
Thanks for doing this!
- repo: https://github.com/woodruffw/zizmor-pre-commit | ||
rev: v0.9.1 | ||
hooks: | ||
- id: zizmor |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be worth adding it as a GitHub action because I think it can catch more issues if it is passed a GITHUB_TOKEN.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(source: https://woodruffw.github.io/zizmor/usage/#operating-modes if others are curious)
it's sort-of possible to pass ENV variables to pre-commit hooks (pre-commit/pre-commit#758 (comment)) though it's somewhat hacky. If we expect the hook to trigger somewhat frequently we can have it as a pre-commit hook that's disabled in CI (idk where that's documented, but https://github.com/python-trio/flake8-async/blob/f82074ad631e46daa63fa4a2b016e54dc6e762f0/.pre-commit-config.yaml#L7) and a github action - but perhaps we only need to bother with it as a github action.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #3154 +/- ##
===============================================
Coverage 100.00000% 100.00000%
===============================================
Files 124 124
Lines 18427 18427
Branches 1215 1215
===============================================
Hits 18427 18427 |
.github/workflows/ci.yml
Outdated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most changes in this file need to be dropped since there's less checkout invocations now.
not sure what to do about this failure:
|
@graingert can it be ignored? The values are constructed in the same job by our code. So this templating is safe in that regard. Though, the generic approach is to use step env vars as a trampoline.. |
How do you do the step env trampoline? |
Just do env: VAR: value for the step; GitHub actions automatically escapes the value |
@graingert check out this https://woodruffw.github.io/zizmor/audits/#template-injection — if you scroll a little, there's a |
No description provided.