Commit cd3c4a9
Remove frizbee.yml caller workflow (#1582)
* Add zizmor and frizbee CI checks
Add caller workflows for zizmor (security scanning) and frizbee
(action pinning verification). Fix zizmor findings where applicable
and add suppression config for intentional patterns.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Add explicit permissions blocks, remove excessive-permissions ignores
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Replace zizmor line-number ignores with policies
Use unpinned-uses config.policies with org-level wildcard and
secrets-inherit disable instead of brittle per-line ignores that
break whenever workflow files change.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Disable ref-confusion audit
The ref-confusion audit crashes when workflows reference private
repos (e.g. internal-workflows, robot) because the GITHUB_TOKEN
lacks cross-repo access. Disable until zizmor supports scoping
this audit or we provide a broader token.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Add security-events: write to zizmor caller workflow
The caller workflow's permissions are the ceiling for reusable
workflows. The zizmor-action needs security-events: write to
upload SARIF results to GitHub Advanced Security.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* Remove frizbee.yml caller workflow
Frizbee is being removed from the reusable actionci workflow
(smallstep/workflows#301). This standalone caller is no longer needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>1 parent 87cd7de commit cd3c4a9
1 file changed
Lines changed: 17 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
0 commit comments