From a3dc928259ae71c88fe6d1a6e563480eb3077bb5 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 3 Mar 2026 08:31:51 -0800 Subject: [PATCH 1/2] ci: Disable zizmor GitHub Advanced Security upload by default --- .github/workflows/zizmor.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 5f70413..0fd9b00 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -5,7 +5,7 @@ on: advanced-security: description: Upload results to GitHub Advanced Security type: boolean - default: true + default: false jobs: zizmor: From ff654e2cf2579a7c06e34b890aba152582d49260 Mon Sep 17 00:00:00 2001 From: Carl Tashian Date: Tue, 3 Mar 2026 08:56:50 -0800 Subject: [PATCH 2/2] ci: Remove zizmor/frizbee from goCI, fix actionci default, rename jobs - Change actionci.yml zizmor-advanced-security default to false (matching zizmor.yml). Public repos must explicitly opt in. - Remove zizmor and frizbee jobs from goCI.yml to avoid duplicate runs for repos that use both goCI.yml and actionci.yml. - Rename job display names to just "zizmor" and "frizbee". Co-Authored-By: Claude Opus 4.6 --- .github/workflows/actionci.yml | 2 +- .github/workflows/frizbee.yml | 2 +- .github/workflows/goCI.yml | 6 ------ .github/workflows/zizmor.yml | 2 +- 4 files changed, 3 insertions(+), 9 deletions(-) diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml index 66f0fa9..0a6a8f4 100644 --- a/.github/workflows/actionci.yml +++ b/.github/workflows/actionci.yml @@ -17,7 +17,7 @@ on: description: Upload zizmor results to GitHub Advanced Security required: false type: boolean - default: true + default: false permissions: contents: read diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml index 5d94205..4e81e6b 100644 --- a/.github/workflows/frizbee.yml +++ b/.github/workflows/frizbee.yml @@ -4,7 +4,7 @@ on: jobs: frizbee: - name: Check action pinning + name: frizbee runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 diff --git a/.github/workflows/goCI.yml b/.github/workflows/goCI.yml index 29e9530..632d39c 100644 --- a/.github/workflows/goCI.yml +++ b/.github/workflows/goCI.yml @@ -145,12 +145,6 @@ jobs: PAT: ${{ secrets.PAT }} CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - zizmor: - uses: ./.github/workflows/zizmor.yml - - frizbee: - uses: ./.github/workflows/frizbee.yml - build: uses: ./.github/workflows/goBuild.yml if: inputs.run-build diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml index 0fd9b00..65e9e21 100644 --- a/.github/workflows/zizmor.yml +++ b/.github/workflows/zizmor.yml @@ -9,7 +9,7 @@ on: jobs: zizmor: - name: Scan GitHub workflows + name: zizmor runs-on: ubuntu-latest steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2