Pin GitHub Actions and Improved Zizmor Setup #37
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
alakae
changed the title
|
btw. I have used |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
mweibel
left a comment
mweibel
left a comment
There was a problem hiding this comment.
LGTM.
btw. I have used pinact run to pin to the hashes.
I assume in the future, dependabot will take care of this?
About the audit message from GitHub security bot (cooldown missing): I saw that you added it afterwards, right?
Interesting that it didn't notice this and remove the comment.
Yes, dependabot will create PRs that update both the SHA and the comment with the version number. I just wanted to document this somewhere for future reference.
Yes, it appeared after I added dependabot config and was marked fixed when I added the cool-down. Where did you see it, here it is marked fixed: 
|
that's what I expected. Nice 👍
As mentioned in chat - it seems it only marked it as fixed after my review. |
There are three changes in this PR:
zizmor-actionlatestversion ofzizmor: https://github.com/zizmorcore/zizmor-action?tab=readme-ov-file#versiongithub-actions, limited to major versions.