Skip to content

Run zizmor workflow scanner and fix issues identified. #51500

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 5 commits into from
Nov 1, 2025
Merged

Run zizmor workflow scanner and fix issues identified. #51500

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
b0c87f8
Run zizmor workflow scanner and fix issues identified.
marcpopMSFT Oct 30, 2025
b9c6afa
Update .github/workflows/update-static-web-assets-baselines.yml
marcpopMSFT Oct 31, 2025
1c7fb31
Alternative solution for ensuring it runs in the repo
marcpopMSFT Oct 31, 2025
61adf24
Update workflow to target specific branches and repo
marcpopMSFT Oct 31, 2025
2d7fc2d
move comment
marcpopMSFT Oct 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions .github/workflows/add-lockdown-label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,11 @@ name: Add Branch Lockdown Label to PRs
on:
pull_request_target:
workflow_dispatch: # Allows manual triggering of the workflow
branches:
- 'release/8.*'
- 'release/9.*'
- 'release/10.*'
Comment on lines +6 to +9
Copy link
Member

@jeffhandley jeffhandley Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's reasonable to just use 'release/*' here as that probably matches the branch protection rule, then it wouldn't need to be updated with each release.

- 'main'

permissions:
actions: write # For managing the operation state cache
Expand All @@ -11,6 +16,8 @@ permissions:
jobs:
add-label:
runs-on: ubuntu-latest
# Only run on the main repository, not forks
if: github.repository == 'dotnet/sdk'
Comment on lines +19 to +20
Copy link
Member

@jeffhandley jeffhandley Oct 31, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This works. Alternate approach we used for the issue-labeler is to only check the org and also to allow a manual dispatch to bypass this check. I doubt this repo would be renamed or that you care to let forks manually dispatch the action though.

https://github.com/dotnet/runtime/blob/0ad494ba0eb84ada521d259c7d24dd0892c7a54d/.github/workflows/labeler-predict-pulls.yml#L49-L50


permissions:
contents: read
Expand All @@ -19,6 +26,8 @@ jobs:
steps:
- name: Checkout repository
uses: actions/checkout@v2
with:
persist-credentials: false

- name: Install jq
run: sudo apt-get install -y jq
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/copilot-setup-steps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ jobs:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
persist-credentials: false
- name: Do an initial build to ensure all dependencies are restored
continue-on-error: true
run: |
Expand Down
9 changes: 7 additions & 2 deletions .github/workflows/remove-lockdown-label.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,15 +2,20 @@ name: Remove Lockdown Label from PRs

on:
pull_request_target:
types: [closed]
branches:
- 'release/8.*'
- 'release/9.*'
- 'release/10.*'
- 'main'

permissions:
actions: write
pull-requests: write

jobs:
remove-labels:
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'Branding')
# Only run on the main repository, not forks
if: github.event.pull_request.merged == true && contains(github.event.pull_request.labels.*.name, 'Branding') && github.repository == 'dotnet/sdk'
runs-on: ubuntu-latest
steps:
- name: PR's only change is <VersionFeature> in eng/Versions.props
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/update-man-pages.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ jobs:
uses: actions/checkout@v4
with:
ref: release/10.0.1xx
persist-credentials: false

- name: Update man-pages
run: |
Expand Down
23 changes: 15 additions & 8 deletions .github/workflows/update-static-web-assets-baselines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,10 @@ jobs:

- name: Checkout PR branch
run: |
gh pr checkout ${{ github.event.inputs.pr_number }}
gh pr checkout ${GITHUB_EVENT_INPUTS_PR_NUMBER}
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_EVENT_INPUTS_PR_NUMBER: ${{ github.event.inputs.pr_number }}

- name: Run build script
id: build
Expand Down Expand Up @@ -79,33 +80,39 @@ jobs:
- name: Comment on PR - No changes
if: steps.update.outcome == 'success' && steps.check-changes.outputs.changes == 'false'
run: |
gh pr comment ${{ github.event.inputs.pr_number }} \
gh pr comment ${GITHUB_EVENT_INPUTS_PR_NUMBER} \
--body "No baselines were updated."
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_EVENT_INPUTS_PR_NUMBER: ${{ github.event.inputs.pr_number }}

- name: Comment on PR - Changes pushed
if: steps.commit.outcome == 'success'
run: |
gh pr comment ${{ github.event.inputs.pr_number }} \
gh pr comment ${GITHUB_EVENT_INPUTS_PR_NUMBER} \
--body "Baselines updated."
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GITHUB_EVENT_INPUTS_PR_NUMBER: ${{ github.event.inputs.pr_number }}

- name: Comment on PR - Failure
if: steps.build.outcome == 'failure' || steps.update.outcome == 'failure' || (steps.check-changes.outputs.changes == 'true' && steps.commit.outcome == 'failure')
run: |
ERROR_MSG="Update baselines failed"

if [[ "${{ steps.build.outcome }}" == "failure" ]]; then
if [[ "${STEPS_BUILD_OUTCOME}" == "failure" ]]; then
ERROR_MSG="$ERROR_MSG: Build script failed"
elif [[ "${{ steps.update.outcome }}" == "failure" ]]; then
elif [[ "${STEPS_UPDATE_OUTCOME}" == "failure" ]]; then
ERROR_MSG="$ERROR_MSG: Update baselines script failed"
elif [[ "${{ steps.commit.outcome }}" == "failure" ]]; then
elif [[ "${STEPS_COMMIT_OUTCOME}" == "failure" ]]; then
ERROR_MSG="$ERROR_MSG: Failed to commit or push changes"
fi

gh pr comment ${{ github.event.inputs.pr_number }} \
gh pr comment ${GITHUB_EVENT_INPUTS_PR_NUMBER} \
--body "$ERROR_MSG"
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
STEPS_BUILD_OUTCOME: ${{ steps.build.outcome }}
STEPS_UPDATE_OUTCOME: ${{ steps.update.outcome }}
STEPS_COMMIT_OUTCOME: ${{ steps.commit.outcome }}
GITHUB_EVENT_INPUTS_PR_NUMBER: ${{ github.event.inputs.pr_number }}