ci: add zizmor for GitHub Actions security analysis #2648

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged

Kludex merged 2 commits into main from ci/add-zizmor

May 20, 2026

Merged

ci: add zizmor for GitHub Actions security analysis #2648

ci: bump zizmor-action to v0.5.6 and disable uv cache in release build

Claude / Claude Code Review completed May 20, 2026 in 9m 36s

Code review found 1 potential issue

Found 4 candidates, confirmed 1. See review comments for details.

Details

Severity	Count
🔴 Important	0
🟡 Nit	1
🟣 Pre-existing	0

Severity	File:Line	Issue
🟡 Nit	`.github/workflows/claude.yml:39`	Inline zizmor ignore[secrets-outside-env] in claude.yml is a no-op under the regular persona

Annotations

Check warning on line 39 in .github/workflows/claude.yml

claude / Claude Code Review

Inline zizmor ignore[secrets-outside-env] in claude.yml is a no-op under the regular persona

The inline `# zizmor: ignore[secrets-outside-env]` is a no-op for the CI job this PR adds: `secrets-outside-env` only fires under zizmor's `auditor` persona, but `zizmor.yml` doesn't set a `persona:` input so `zizmor-action` runs the default `regular` persona where this audit never triggers. This means the PR description's claim that the suppression silences "the one remaining warning" is incorrect, and the discussed follow-up (creating a GitHub environment for `ANTHROPIC_API_KEY`) is not actual

View more details on Claude