From 5e474823e2f225e80c2edf7f4d995c225ffa3310 Mon Sep 17 00:00:00 2001 From: Tobias Wochinger Date: Fri, 17 Apr 2026 13:46:26 +0200 Subject: [PATCH 1/2] fix(ci): disable zizmor advanced security to unblock release pushes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit With advanced-security enabled, zizmor uploads SARIF to GitHub Code Scanning. The branch protection ruleset then requires those results before allowing pushes to main. This blocks the release workflow because its version-bump commit doesn't exist on GitHub yet, so code scanning can't produce results for it — a chicken-and-egg problem. Switching to advanced-security: false keeps zizmor as a regular CI check (pass/fail) without uploading to Code Scanning, avoiding the branch protection conflict. Also sets min-severity to medium to filter out noisy low-severity findings. Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/zizmor.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index c706f5c43..c614e1698 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -19,7 +19,6 @@ jobs: if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository runs-on: ubuntu-latest permissions: - security-events: write contents: read steps: - name: Checkout @@ -29,4 +28,5 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: - advanced-security: true + advanced-security: false + min-severity: medium From 5cf46549018d97480fe030c71b5dc24b28f0c034 Mon Sep 17 00:00:00 2001 From: Tobias Wochinger Date: Fri, 17 Apr 2026 13:52:19 +0200 Subject: [PATCH 2/2] fix(ci): add comment explaining advanced-security: false Co-Authored-By: Claude Opus 4.6 (1M context) --- .github/workflows/zizmor.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index c614e1698..725619c3f 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -28,5 +28,7 @@ jobs: - name: Run zizmor uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3 with: + # Using false as a code scanning ruleset would block the release + # workflow which creates a new commit and pushes directly to main. advanced-security: false min-severity: medium