Skip to content

Revert "⬆️ Add Zizmor setup in workflow"#867

Merged
jorenham merged 1 commit intomainfrom
revert-866-fix-zizmor
May 1, 2026
Merged

Revert "⬆️ Add Zizmor setup in workflow"#867
jorenham merged 1 commit intomainfrom
revert-866-fix-zizmor

Conversation

@jorenham
Copy link
Copy Markdown
Member

@jorenham jorenham commented May 1, 2026
edited
Loading

Reverts #866

This broke CI on main: https://github.com/numpy/numtype/actions/runs/25214891928

Running locally also shows 21 errors:

$ uvx zizmor .
 INFO zizmor: 🌈 zizmor v1.24.1
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/docs.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/publish-pypi.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/zizmor.yml
warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates
 --> ./.github/dependabot.yml:4:3
  |
4 | - package-ecosystem: github-actions
  |   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ missing cooldown configuration
  |
  = note: audit confidence → High
  = note: this finding has an auto-fix

warning[dependabot-cooldown]: insufficient cooldown in Dependabot updates
  --> ./.github/dependabot.yml:17:3
   |
17 | - package-ecosystem: uv
   |   ^^^^^^^^^^^^^^^^^^^^^ missing cooldown configuration
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/ci.yml:23:7
   |
23 |     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/ci.yml:55:7
   |
55 |     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/ci.yml:72:7
   |
72 |     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/ci.yml:92:7
   |
92 |     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[excessive-permissions]: overly broad permissions
 --> ./.github/workflows/ci.yml:2:1
  |
2 | permissions: read-all
  | ^^^^^^^^^^^^^^^^^^^^^ uses read-all permissions
  |
  = note: audit confidence → High

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/docs.yml:26:7
   |
26 |     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> ./.github/workflows/publish-pypi.yml:20:7
   |
20 |     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ does not set persist-credentials: false
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

error[cache-poisoning]: runtime artifacts potentially vulnerable to a cache poisoning attack
  --> ./.github/workflows/publish-pypi.yml:22:7
   |
 3 | / on:
 4 | |   workflow_dispatch:
 5 | |   push:
 6 | |     tags:
 7 | |     - "v*"
   | |__________- generally used when publishing artifacts generated at runtime
...
22 |         uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ enables caching by default
   |
   = note: audit confidence → Low
   = note: this finding has an auto-fix

21 findings (11 suppressed, 9 fixable): 0 informational, 0 low, 9 medium, 1 high

@jorenham
Copy link
Copy Markdown
Member Author

jorenham commented May 1, 2026

cc @Aniketsy

@jorenham jorenham enabled auto-merge (squash) May 1, 2026 13:11
@jorenham jorenham merged commit ab8ec94 into main May 1, 2026
21 of 23 checks passed
@jorenham jorenham deleted the revert-866-fix-zizmor branch May 1, 2026 13:13
@Aniketsy
Copy link
Copy Markdown
Contributor

Aniketsy commented May 1, 2026

ohh 😿, sorry i'll look into it again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jorenham @Aniketsy