fix(ci): disable zizmor advanced security to unblock releases

[wochinge]

Summary

• Disables advanced-security for zizmor so it no longer uploads SARIF to GitHub Code Scanning
• Sets min-severity: medium to filter noisy low-severity findings
• Removes now-unnecessary security-events: write permission

Context

Same change as langfuse/langfuse-python#1630. With advanced-security: true, zizmor registers as a code scanning tool. A branch protection ruleset requiring code scanning results would block the release workflow, which creates a new commit and pushes directly to main — the commit doesn't exist on GitHub yet, so code scanning can't produce results for it.

Test plan

• Verify zizmor workflow still runs and catches issues on PRs
• Verify release workflow can push to main without being blocked

🤖 Generated with Claude Code

Disclaimer: Experimental PR review

Greptile Summary

This PR disables zizmor's advanced-security mode (preventing SARIF upload to GitHub Code Scanning), sets a min-severity: medium filter to suppress low-severity noise, and removes the now-unneeded security-events: write permission. The change mirrors the fix already applied in langfuse/langfuse-python#1630 and resolves the root cause: branch protection rules require code scanning results, but the release workflow commits directly to main with no prior scan, causing a deadlock.

Confidence Score: 5/5

Safe to merge — targeted CI configuration fix with no functional or security regressions.

Both changed files are CI/Dependabot config only. The logic is correct: advanced-security: false stops SARIF upload (removing the branch-protection deadlock), min-severity: medium reduces noise without disabling the tool, and dropping security-events: write follows least-privilege. No P0/P1 findings; all changes are well-commented and mirror an already-landed fix in the Python SDK repo.

No files require special attention.

Important Files Changed

Filename	Overview
.github/workflows/zizmor.yml	Disables SARIF upload via advanced-security: false, adds min-severity: medium filter, and removes the now-unnecessary security-events: write permission — all consistent with the stated goal of unblocking releases.
.github/dependabot.yml	Adds cooldown entries (with an explanatory comment) to satisfy zizmor's medium-severity findings; straightforward housekeeping change with no functional risk.

Sequence Diagram

sequenceDiagram
    participant PR as PR / push to main
    participant GHA as GitHub Actions
    participant Zizmor as zizmor-action
    participant CS as GitHub Code Scanning (SARIF)
    participant BP as Branch Protection Ruleset

    PR->>GHA: Trigger zizmor workflow
    GHA->>Zizmor: Run (advanced-security: false, min-severity: medium)
    Zizmor-->>GHA: Results (medium+ severity only, stdout/annotations)
    Note over CS: SARIF NOT uploaded
    Note over BP: No code-scanning result required → release push unblocked
    GHA-->>PR: Workflow pass/fail (annotation-only)

Loading

_{Reviews (1): Last reviewed commit: "fix(ci): disable zizmor advanced securit..." | Re-trigger Greptile}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
langfuse-js	Ready	Preview	Apr 17, 2026 0:04am

[github-actions]

@claude review

[claude]

LGTM — straightforward CI config fix to unblock releases.

Extended reasoning...

Overview

Modifies two CI config files: and . The zizmor workflow is updated to disable SARIF uploads () and filter low-severity findings (), with the now-unnecessary permission removed. The dependabot config gets a field added to the npm entry to satisfy zizmor linting.

Security risks

Reducing to nothing is a permission reduction — no risk introduced. Disabling SARIF upload means findings won't appear in GitHub Code Scanning UI, but zizmor still runs and fails the workflow on medium+ severity findings, so the security gate remains effective.

Level of scrutiny

Low. This is a CI plumbing fix with a clear, well-documented rationale (mirrored from the Python SDK repo). No production or SDK code is touched.

Other factors

No bugs found. Change is minimal, self-contained, and the comment in the YAML clearly documents why is needed.

[claude]

LGTM — straightforward CI fix mirroring the same change in the Python SDK.

Extended reasoning...

Overview

Single-file change to .github/workflows/zizmor.yml: sets advanced-security: false, adds min-severity: medium, and removes the now-unneeded security-events: write permission.

Security risks

None. Removing security-events: write strictly reduces the workflow's permission surface. Disabling SARIF upload only affects how results are reported, not whether the tool runs.

Level of scrutiny

Low. This is a pure CI configuration change with a clear, well-documented rationale. The same fix has already landed in the companion Python SDK repo, providing additional confidence in the approach.

Other factors

No bugs were found by the automated review. The diff is small, self-contained, and well-commented. Approval is warranted.