Skip to content

Commit 76e2a6b

Browse files
swibi-ttdclaude
andcommitted
UID2-7011: add zizmor workflow-security scan (report-only)
Bare caller of the shared scan: severity floors inherit central defaults (report-only, High) and are overridable per-repo via ZIZMOR_* Actions variables. Part of the UID2-7011 org-wide rollout. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
1 parent e673de2 commit 76e2a6b

1 file changed

Lines changed: 21 additions & 0 deletions

File tree

.github/workflows/zizmor.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
name: Zizmor Scan
2+
3+
on:
4+
pull_request:
5+
# Trigger when anything zizmor scans changes. The scan itself covers the
6+
# whole repo; if this repo keeps composite actions outside .github/, add
7+
# those paths so changes there don't slip through.
8+
paths:
9+
- '.github/**'
10+
workflow_dispatch:
11+
12+
permissions:
13+
contents: read
14+
15+
jobs:
16+
zizmor:
17+
# Bare call: severity floors inherit the shared workflow's central defaults
18+
# (report-only, High) and can be overridden per-repo via the
19+
# ZIZMOR_MIN_SEVERITY / ZIZMOR_FAIL_SEVERITY Actions variables — no PR
20+
# needed. See the zizmor section of the uid2-shared-actions README.
21+
uses: IABTechLab/uid2-shared-actions/.github/workflows/shared-zizmor-scan.yaml@v3

0 commit comments

Comments
 (0)