UID2-7011: skip zizmor scan when there is nothing to scan#253
Open
swibi-ttd wants to merge 6 commits into
Open
UID2-7011: skip zizmor scan when there is nothing to scan#253swibi-ttd wants to merge 6 commits into
swibi-ttd wants to merge 6 commits into
Conversation
min_severity and fail_severity now resolve with precedence: explicit caller input > calling repo's ZIZMOR_MIN_SEVERITY / ZIZMOR_FAIL_SEVERITY Actions variable > central default (high / never). Callers should be bare (no with:) so the org-wide rollout can be retuned without touching 50+ caller files: a central default change here ships to every bare caller via the moving v3 tag, and a repo variable flips one repo with no PR at all. Effective values are unchanged for all existing callers: the input defaults move from concrete values to an empty sentinel, and the fallback chain reproduces the old defaults when neither input nor variable is set. Also makes this repo's own caller bare (same behaviour as before via the central defaults) and documents the three-lever precedence in the README. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
zizmor exit 3 (no inputs collected) now splits by intent: with the default scan_paths '.', it means the repo genuinely has no GitHub Actions content - legitimate for ruleset-injected runs that target every repo in an org - so the job skips green with a notice in the summary. With caller-specified scan_paths, an empty collection is more likely a typo'd path and keeps failing closed (the fail-open concern from the original review stands). This lets the UnifiedID2 required-workflow ruleset target ~ALL repos instead of maintaining an include-list of repos with workflows. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Revert the ZIZMOR_MIN_SEVERITY / ZIZMOR_FAIL_SEVERITY vars fallback and the empty-sentinel input defaults: minimal solution preferred - central control via bare callers inheriting the shared defaults is sufficient, and per-repo override support can be added later if staged per-repo gating turns out to need it. Inputs go back to concrete defaults (high / never). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes a repo with nothing to scan pass instead of fail, so the scan can be applied blanket-style (e.g. the UnifiedID2 required-workflow ruleset targeting
~ALLrepos).zizmor exit 3 ("no inputs collected") now splits by intent:
scan_paths: '.'→ the repo genuinely has no GitHub Actions content → skip green with a summary noticescan_paths→ an empty collection is a probable typo → fail closed, as beforeVerified empirically that a repo with no Actions content yields exit 3; actionlint + zizmor self-scan clean.
Also makes this repo's own caller bare (severity floors inherit the shared defaults — same effective values) and drops the
with:line from the README adoption example.Must merge and ship in a v3 release before uid2-okta-configuration#222 applies, since the ruleset-injected workflow calls
@v3.🤖 Generated with Claude Code