feat: run a github actions static analysis before checkup#104
Conversation
zimeg
added
enhancement
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #104 +/- ##
==========================================
+ Coverage 94.57% 94.66% +0.08%
==========================================
Files 6 6
Lines 369 375 +6
==========================================
+ Hits 349 355 +6
Misses 20 20 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
📝 |
zimeg
left a comment
zimeg
left a comment
There was a problem hiding this comment.
📝 A few notes on happenings for the kind reviewers but I hope to attempt a prerelease before requesting review!
| using: composite | ||
| steps: | ||
| - name: Actions | ||
| uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1 | ||
| - name: Checkup | ||
| uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1 | ||
| env: | ||
| INPUT_EXTENSION: ${{ inputs.extension }} | ||
| INPUT_GITHUB_TOKEN: ${{ inputs.github_token }} | ||
| INPUT_INCLUDE: ${{ inputs.include }} | ||
| INPUT_EXCLUDE: ${{ inputs.exclude }} | ||
| INPUT_CODECOV_TOKEN: ${{ inputs.codecov_token }} | ||
| INPUT_CODECOV_MAX_ATTEMPTS: ${{ inputs.codecov_max_attempts }} | ||
| INPUT_CODECOV_RETRY_DELAY: ${{ inputs.codecov_retry_delay }} | ||
| INPUT_CODECOV_TREAT_TIMEOUT_AS_ERROR: ${{ inputs.codecov_treat_timeout_as_error }} | ||
| with: | ||
| script: | | ||
| const script = require("./dist/index.js"); | ||
| await script(context, core, github); |
There was a problem hiding this comment.
📣 This is the main change of the PR! The action changes from a standalone JavaScript step to a "composite" action with multiple steps.
🎁 The actions/github-script package provides various inputs that we can use with the inputs of this action to run the JavaScript portion just as before!
There was a problem hiding this comment.
👁️🗨️ Before merging or releasing this change, we might want to attempt a prerelease for expected findings-
| module.exports = function getCommitSHA(core, github) { | ||
| module.exports = function getCommitSHA(context, core) { | ||
| // Get GitHub-event-relevant contextual details, like commit SHA | ||
| const ctx = github.context; |
There was a problem hiding this comment.
🪓 Most code updates replace the removed github.context with a provided context after changing to a composite action.
| needs: unit_tests | ||
| permissions: | ||
| checks: write | ||
| security-events: write |
There was a problem hiding this comment.
🔗 https://github.com/zizmorcore/zizmor-action
This is the recommended way to use
zizmor-actionas it provides stateful analysis and enables incremental triage.
|
|
📝 A note on expected errors and found comments might also include a section in the |
|
📝 Interesting settings that might be nice to use adjacent to these checks: https://github.blog/changelog/2025-08-15-github-actions-policy-now-supports-blocking-and-sha-pinning-actions/ |
2 participants
Summary
This PR attempts to add
zizmor-actionto the health checks for matching checks across projects 🤖 ✨Requirements