fix(ci): disable zizmor advanced security to unblock release pushes

wochinge · claude · wochinge · commit 5e474823e2f2 · 2026-04-17T13:46:26.000+02:00
With advanced-security enabled, zizmor uploads SARIF to GitHub Code Scanning.
The branch protection ruleset then requires those results before allowing pushes
to main. This blocks the release workflow because its version-bump commit doesn't
exist on GitHub yet, so code scanning can't produce results for it — a
chicken-and-egg problem.

Switching to advanced-security: false keeps zizmor as a regular CI check
(pass/fail) without uploading to Code Scanning, avoiding the branch protection
conflict. Also sets min-severity to medium to filter out noisy low-severity
findings.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -19,7 +19,6 @@ jobs:
     if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
       contents: read
     steps:
       - name: Checkout
@@ -29,4 +28,5 @@ jobs:
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
         with:
-          advanced-security: true
+          advanced-security: false
+          min-severity: medium
