From ee43719079d878cdc2c31c5fcac48ae2792a51db Mon Sep 17 00:00:00 2001 From: ShaharNaveh <50263213+ShaharNaveh@users.noreply.github.com> Date: Wed, 18 Mar 2026 15:09:28 +0100 Subject: [PATCH 1/7] Add zizmor CI --- .github/workflows/ci.yaml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index d036d465d0f..e5b251fc4a9 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -554,3 +554,12 @@ jobs: run: wasmer run --dir `pwd` target/wasm32-wasip1/release/rustpython.wasm -- `pwd`/extra_tests/snippets/stdlib_random.py - name: run cpython unittest run: wasmer run --dir `pwd` target/wasm32-wasip1/release/rustpython.wasm -- `pwd`/Lib/test/test_int.py + + security-lint: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/main' }} + permissions: + security-events: write + steps: + - name: Run zizmor + uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 From dd0f9d2840e7cf7d42f0eef47bd5a9335e709d73 Mon Sep 17 00:00:00 2001 From: Shahar Naveh <50263213+ShaharNaveh@users.noreply.github.com> Date: Wed, 18 Mar 2026 16:06:30 +0100 Subject: [PATCH 2/7] Update .github/workflows/ci.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .github/workflows/ci.yaml | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index e5b251fc4a9..4f72e4960d3 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -560,6 +560,14 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} permissions: security-events: write - steps: - - name: Run zizmor - uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 + security-lint: + runs-on: ubuntu-latest + if: ${{ github.ref == 'refs/heads/main' }} + permissions: + security-events: write + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 From 403175d4c85b3f74c78be39241cb8e7138c654bf Mon Sep 17 00:00:00 2001 From: ShaharNaveh <50263213+ShaharNaveh@users.noreply.github.com> Date: Wed, 18 Mar 2026 16:07:48 +0100 Subject: [PATCH 3/7] Fix dup --- .github/workflows/ci.yaml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 4f72e4960d3..a2c11779c02 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -560,11 +560,6 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} permissions: security-events: write - security-lint: - runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} - permissions: - security-events: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: From e3a74cb41075dc0cf72e2fece2df9372f1f6e202 Mon Sep 17 00:00:00 2001 From: ShaharNaveh <50263213+ShaharNaveh@users.noreply.github.com> Date: Wed, 18 Mar 2026 16:18:21 +0100 Subject: [PATCH 4/7] Fix indent --- .github/workflows/ci.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index a2c11779c02..bcee96c7c92 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -560,9 +560,9 @@ jobs: if: ${{ github.ref == 'refs/heads/main' }} permissions: security-events: write - steps: - - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - persist-credentials: false - - name: Run zizmor - uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 + steps: + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + persist-credentials: false + - name: Run zizmor + uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 From 700e0d4ef8e39d97f1d329eec5eaa8444fe64e19 Mon Sep 17 00:00:00 2001 From: ShaharNaveh <50263213+ShaharNaveh@users.noreply.github.com> Date: Thu, 19 Mar 2026 09:54:43 +0100 Subject: [PATCH 5/7] Always run zizmor --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index bcee96c7c92..1f6c81defc5 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -557,12 +557,12 @@ jobs: security-lint: runs-on: ubuntu-latest - if: ${{ github.ref == 'refs/heads/main' }} permissions: security-events: write steps: - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 with: persist-credentials: false + - name: Run zizmor uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 From 7c86e58aea4448fdd45f1c29521e72a07bad938f Mon Sep 17 00:00:00 2001 From: ShaharNaveh <50263213+ShaharNaveh@users.noreply.github.com> Date: Thu, 19 Mar 2026 18:32:57 +0100 Subject: [PATCH 6/7] Remove dynamic `with` for zizmor --- .github/workflows/ci.yaml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b11f8b44d6c..b36dd2fd7de 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -141,7 +141,12 @@ jobs: - name: Install dependencies uses: ./.github/actions/install-linux-deps - with: ${{ matrix.dependencies || fromJSON('{}') }} + # zizmor has an issue with dynamic `with` + # with: ${{ matrix.dependencies || fromJSON('{}') }} + with: + gcc-multilib: ${{ matrix.dependencies.gcc-multilib || false }} + musl-tools: ${{ matrix.dependencies.musl-tools || false }} + gcc-aarch64-linux-gnu: ${{ matrix.dependencies.gcc-aarch64-linux-gnu || false }} - uses: dtolnay/rust-toolchain@stable with: From 1dbf9125a61b2b19862bbff0eb4ee7434d8178f7 Mon Sep 17 00:00:00 2001 From: ShaharNaveh <50263213+ShaharNaveh@users.noreply.github.com> Date: Fri, 20 Mar 2026 09:16:26 +0100 Subject: [PATCH 7/7] Bump action version --- .github/workflows/ci.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 2d13ff886cf..48bbde072ed 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -587,4 +587,4 @@ jobs: persist-credentials: false - name: Run zizmor - uses: zizmorcore/zizmor-action@135698455da5c3b3e55f73f4419e481ab68cdd95 # v0.4.1 + uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2