Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bypass zizmor warnings #687

Closed
wants to merge 1 commit into from
Closed

Bypass zizmor warnings #687

wants to merge 1 commit into from

Conversation

maresb
Copy link

@maresb maresb commented Dec 23, 2024

Summary

I suspect that your zizmor workflow is misconfigured in a way that makes it easy to bypass in an individual PR. This is an attempted proof of concept.

The fix is to use branches: ["**"] instead of branches: ["*"] since I can bypass the workflow by putting a slash in my branch name.

I recently set up zizmor myself, and I was comparing your config with the standard one, and noticed this very minor discrepancy.

Pull Request Check List

  • Do not open pull requests from your main branch – use a separate branch!
    • There's a ton of footguns waiting if you don't heed this warning. You can still go back to your project, create a branch from your main branch, push it, and open the pull request from the new branch.
    • This is not a pre-requisite for your pull request to be accepted, but you have been warned.
  • Added tests for changed code.
    • The CI fails with less than 100% coverage.
  • New APIs are added to our typing tests in api.py.
  • Updated documentation for changed code.
    • New functions/classes have to be added to docs/api.rst by hand.
    • Changed/added classes/methods/functions have appropriate versionadded, versionchanged, or deprecated directives.
      • The next version is the second number in the current release + 1. The first number represents the current year. So if the current version on PyPI is 23.1.0, the next version is gonna be 23.2.0. If the next version is the first in the new year, it'll be 24.1.0.
  • Documentation in .rst and .md files is written using semantic newlines.
  • Changes (and possible deprecations) are documented in the changelog.
  • Consider granting push permissions to the PR branch, so maintainers can fix minor issues themselves without pestering you.

@maresb
Copy link
Author

maresb commented Dec 23, 2024

Ah, nevermind, sorry for the noise!

image

I will raise the converse issue in zizmor.

@maresb maresb closed this Dec 23, 2024
@maresb
Copy link
Author

maresb commented Dec 23, 2024

I was confused about what's being pattern-matched. It's not the source branch bugfix/no-zizmor but the target branch main. So you're safe unless you create a branch in your base repo containing a slash and merge an unchecked PR into that. (Super obscure.)

Reference: official documentation for the pattern matching syntax: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#patterns-to-match-branches-and-tags

@maresb maresb deleted the bugfix/no-zizmor branch December 23, 2024 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@maresb