Skip to content

UID2-7011: skip zizmor scan when there is nothing to scan#253

Open
swibi-ttd wants to merge 6 commits into
mainfrom
swi-UID2-7011-zizmor-central-control
Open

UID2-7011: skip zizmor scan when there is nothing to scan#253
swibi-ttd wants to merge 6 commits into
mainfrom
swi-UID2-7011-zizmor-central-control

Conversation

@swibi-ttd

@swibi-ttd swibi-ttd commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Makes a repo with nothing to scan pass instead of fail, so the scan can be applied blanket-style (e.g. the UnifiedID2 required-workflow ruleset targeting ~ALL repos).

zizmor exit 3 ("no inputs collected") now splits by intent:

  • default scan_paths: '.' → the repo genuinely has no GitHub Actions content → skip green with a summary notice
  • explicit scan_paths → an empty collection is a probable typo → fail closed, as before

Verified empirically that a repo with no Actions content yields exit 3; actionlint + zizmor self-scan clean.

Also makes this repo's own caller bare (severity floors inherit the shared defaults — same effective values) and drops the with: line from the README adoption example.

Must merge and ship in a v3 release before uid2-okta-configuration#222 applies, since the ruleset-injected workflow calls @v3.

🤖 Generated with Claude Code

min_severity and fail_severity now resolve with precedence: explicit caller
input > calling repo's ZIZMOR_MIN_SEVERITY / ZIZMOR_FAIL_SEVERITY Actions
variable > central default (high / never). Callers should be bare (no with:)
so the org-wide rollout can be retuned without touching 50+ caller files:
a central default change here ships to every bare caller via the moving v3
tag, and a repo variable flips one repo with no PR at all.

Effective values are unchanged for all existing callers: the input defaults
move from concrete values to an empty sentinel, and the fallback chain
reproduces the old defaults when neither input nor variable is set.

Also makes this repo's own caller bare (same behaviour as before via the
central defaults) and documents the three-lever precedence in the README.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
swibi-ttd and others added 4 commits July 3, 2026 14:09
zizmor exit 3 (no inputs collected) now splits by intent: with the default
scan_paths '.', it means the repo genuinely has no GitHub Actions content -
legitimate for ruleset-injected runs that target every repo in an org - so
the job skips green with a notice in the summary. With caller-specified
scan_paths, an empty collection is more likely a typo'd path and keeps
failing closed (the fail-open concern from the original review stands).

This lets the UnifiedID2 required-workflow ruleset target ~ALL repos
instead of maintaining an include-list of repos with workflows.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Revert the ZIZMOR_MIN_SEVERITY / ZIZMOR_FAIL_SEVERITY vars fallback and the
empty-sentinel input defaults: minimal solution preferred - central control
via bare callers inheriting the shared defaults is sufficient, and per-repo
override support can be added later if staged per-repo gating turns out to
need it. Inputs go back to concrete defaults (high / never).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@swibi-ttd swibi-ttd changed the title UID2-7011: centrally controllable zizmor severity floors UID2-7011: skip zizmor scan when there is nothing to scan Jul 3, 2026
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant