Skip to content

ci: add zizmor and harden v0.x CI#10638

Merged
jasonsaayman merged 2 commits into
axios:v0.xfrom
shaanmajid:feat/v0x-zizmor
Apr 3, 2026
Merged

ci: add zizmor and harden v0.x CI#10638
jasonsaayman merged 2 commits into
axios:v0.xfrom
shaanmajid:feat/v0x-zizmor

Conversation

@shaanmajid
Copy link
Copy Markdown
Contributor

@shaanmajid shaanmajid commented Apr 2, 2026
edited by cubic-dev-ai Bot
Loading

Summary

v0.x counterpart to #10618 and #10627. Adds zizmor and hardens the existing CI workflow, matching the v1.x setup.

run-ci-v0.yml: SHA-pins all actions and sets persist-credentials: false (was true). SHAs can be verified with pinact or zizmor.

zizmor.yml: new workflow, copied from v1.x. Runs on pushes to v0.x and on PRs, uploads SARIF to code scanning.

Summary by cubic

Adds zizmor security scanning and hardens v0.x CI by pinning actions and disabling credential persistence. Aligns the v0.x pipeline with v1.x to improve supply-chain security.

  • Description

    • Added .github/workflows/zizmor.yml to scan GitHub Actions on pushes to v0.x and all PRs; uploads SARIF to code scanning. Uses top-level permissions: {} and grants security-events: write only.
    • Hardened .github/workflows/run-ci-v0.yml: SHA-pinned actions/checkout, actions/setup-node, and actions/dependency-review-action; set persist-credentials: false.
    • Synced with the latest v0.x to keep CI config in step.

  • Testing

    • CI-only changes; validated via workflow runs.
    • Pins can be verified with pinact or zizmor; no additional tests needed.

Written for commit f9e132b. Summary will update on new commits.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

@shaanmajid shaanmajid changed the title fix(ci): add zizmor and harden v0.x CI ci: add zizmor and harden v0.x CI Apr 3, 2026
@jasonsaayman jasonsaayman added commit::ci The PR is related to CI type::security The PR is a secuirty related changed normally from a CVE labels Apr 3, 2026
@jasonsaayman jasonsaayman merged commit 58a6043 into axios:v0.x Apr 3, 2026
12 checks passed
@shaanmajid shaanmajid deleted the feat/v0x-zizmor branch April 3, 2026 17:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@jasonsaayman jasonsaayman jasonsaayman approved these changes

Assignees

@shaanmajid shaanmajid

Labels

commit::ci The PR is related to CI type::security The PR is a secuirty related changed normally from a CVE

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shaanmajid @jasonsaayman