Add zizmor CI

[ShaharNaveh]

Summary by CodeRabbit

• Chores
  • Added an automated security scanning check to the continuous integration pipeline.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

A new security-lint CI job was added to the GitHub Actions workflow to run security linting checks using the zizmor-action. The job executes on ubuntu-latest with security-events write permissions and performs code checkout with disabled credential persistence.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/ci.yaml	Added security-lint job that runs zizmor security linting on ubuntu-latest with security-events write permissions. Includes checkout step with persist-credentials disabled and zizmor-action@v0.4.1 execution.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• youknowone

Poem

🐰 A rabbit hops through CI flows so bright,
Security checks now running each night,
With zizmor's keen eye and permissions set right,
The workflow grows stronger, securing the site! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Add zizmor CI' is concise and directly related to the main change—adding a security-lint job using the zizmor-action to the CI workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 563-565: The "Run zizmor" workflow step uses
zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 but doesn't
check out the repo first, causing the action to fail with "no inputs"; add a
preceding checkout step (e.g., add a step named "Checkout repository" that uses
actions/checkout@v4) placed immediately before the "Run zizmor" step so the
workspace contains the workflow files the action expects.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 745a3f6d-3779-4e95-b8a1-50a81b6af8b2

📥 Commits

Reviewing files that changed from the base of the PR and between 9a5de28 and ee43719.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml

[fanninpm]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yaml:
- Around line 561-564: The workflow has the `steps` key incorrectly nested under
the `permissions` block (see `permissions:` and `steps:`), which makes the job
invalid; fix this by unindenting/moving the `steps:` section so it is a sibling
of `permissions:` (not a child), ensuring `permissions:`, `security-events:
write`, and the `steps:` list (including the `actions/checkout@de0fac2e...`
entry) are at the same indentation level so the `security-lint` job has a valid
`steps` section.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 43ab2e9c-8ea1-4f41-af8e-355e17c45996

📥 Commits

Reviewing files that changed from the base of the PR and between ee43719 and 403175d.

📒 Files selected for processing (1)

• .github/workflows/ci.yaml

[fanninpm]

@ShaharNaveh we might want to consider adding actionlint to the CI suite.

[ShaharNaveh]

@ShaharNaveh we might want to consider adding actionlint to the CI suite.

Sure, we can do both:)

[youknowone]

security lint is expected to be run when github action is changed, right? But that task was not run in this PR.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/pr-format.yaml:
- Around line 65-66: The review step using
reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 is
currently gated by the default success() condition and is skipped when the
formatting check fails; update that step to run unconditionally by removing the
success() condition or explicitly adding if: always() to the step (the step
referencing
reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43) so
actionlint executes and reports on PRs even when the formatting job fails.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: cb721f38-64bc-4c96-866e-84af2ca12563

📥 Commits

Reviewing files that changed from the base of the PR and between e3a74cb and 7c74b13.

📒 Files selected for processing (2)

• .github/workflows/ci.yaml
• .github/workflows/pr-format.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/ci.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Ensure actionlint runs even when formatting check fails.

At Line 65, this step currently uses the default if: success(), so it is skipped when Check for formatting changes fails. If you want workflow linting to always be reported on PRs, make this step unconditional.

Proposed change

-      - uses: reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 # v1.71.0
+      - if: always()
+        uses: reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 # v1.71.0

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/pr-format.yaml around lines 65 - 66, The review step using
reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43 is
currently gated by the default success() condition and is skipped when the
formatting check fails; update that step to run unconditionally by removing the
success() condition or explicitly adding if: always() to the step (the step
referencing
reviewdog/action-actionlint@0d952c597ef8459f634d7145b0b044a9699e5e43) so
actionlint executes and reports on PRs even when the formatting job fails.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.