Skip to content

UID2-7011: gate zizmor scan on High-severity findings#252

Closed
swibi-ttd wants to merge 1 commit into
mainfrom
swi-UID2-7011-flip-fail-severity
Closed

UID2-7011: gate zizmor scan on High-severity findings#252
swibi-ttd wants to merge 1 commit into
mainfrom
swi-UID2-7011-flip-fail-severity

Conversation

@swibi-ttd

Copy link
Copy Markdown
Contributor

Flips the dogfood zizmor caller from report-only to blocking on High (fail_severity: high), per the rollout plan on UID2-7011.

Preconditions all met:

This PR is also its own proof: the zizmor check on it now runs with the gate on and only stays green if the repo is clean at High. A red zizmor check from here on means a genuine new High-severity finding.

🤖 Generated with Claude Code

Flip the dogfood caller from report-only (fail_severity: never) to blocking
on High (fail_severity: high). The repo reached zero High-severity findings
in PRs #249-#251 (95 template-injection findings fixed) and the fixed
release path was verified end-to-end via a Snapshot canary on
uid2-attestation-api, so a red check from here on means a genuine new High
finding - a regression gate, per the UID2-7011 rollout plan.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@swibi-ttd

Copy link
Copy Markdown
Contributor Author

Closing — superseded by #253: gating flips will go through the shared workflow's central default or per-repo ZIZMOR_FAIL_SEVERITY Actions variables rather than caller edits, and the flip itself is on hold until the org-wide rollout's High findings are fixed (see UID2-7011).

@swibi-ttd swibi-ttd closed this Jul 3, 2026
@swibi-ttd swibi-ttd deleted the swi-UID2-7011-flip-fail-severity branch July 3, 2026 03:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant