Skip to content

ci: add zizmor workflow#6

Merged
wochinge merged 1 commit into
mainfrom
lfe-9753-zizmor-for-langfuse-cli
May 12, 2026
Merged

ci: add zizmor workflow#6
wochinge merged 1 commit into
mainfrom
lfe-9753-zizmor-for-langfuse-cli

Conversation

@wochinge
Copy link
Copy Markdown
Contributor

@wochinge wochinge commented May 12, 2026

Summary

  • Adds a GitHub Actions workflow that runs zizmor for security checks on the repository workflows.
  • Uses least-privilege default permissions and pinned action SHAs with exact tag comments.
  • Skips pull requests from forks to avoid uploading security results from untrusted PR contexts.

Linear

Review Focus

  • Confirm the workflow triggers match the desired CI coverage for langfuse-cli.
  • Confirm the fork-PR skip behavior is acceptable for this repository.

@github-advanced-security
Copy link
Copy Markdown

github-advanced-security AI commented May 12, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@wochinge wochinge merged commit c35dd24 into main May 12, 2026
4 checks passed
@wochinge wochinge deleted the lfe-9753-zizmor-for-langfuse-cli branch May 12, 2026 09:15
claude[bot]
claude Bot reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown

@claude claude Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — straightforward addition of a zizmor security-linting workflow with pinned SHAs, least-privilege permissions, and fork-PR safety guard.

Extended reasoning...

Overview

This PR adds a single new file, .github/workflows/zizmor.yml, a GitHub Actions workflow that runs zizmor (a static analyzer for GitHub Actions workflows) on push to main, PRs to main, merge groups, and manual dispatch. No production code or library logic is touched.

Security risks

None of concern. The workflow itself follows GitHub Actions hardening best practices: empty default permissions: {}, narrowly scoped job-level permissions (security-events: write, contents: read), persist-credentials: false on checkout, action references pinned to full commit SHAs with tag comments, and an if: guard that skips fork-PR runs so untrusted PRs cannot upload security-events results. This is a defensive addition that strengthens the repo's CI security posture.

Level of scrutiny

Low. The change is a small, self-contained, additive CI workflow with no impact on the CLI's runtime behavior. Reviewing it amounts to validating the YAML structure and the security primitives, both of which are well-formed.

Other factors

No bugs were reported by the bug hunter. There are no prior reviews or unresolved comments on the PR timeline. The workflow mirrors common patterns used for zizmor across other Langfuse repos.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@wochinge @github-advanced-security