ci: enforce the zizmor action-pinning policy on the template's workflows#4
ci: enforce the zizmor action-pinning policy on the template's workflows#4devantler wants to merge 1 commit into
Conversation
The template ships framework-agnostic .github/workflows/ plumbing to every tenant via template-sync, but nothing validated those workflows in the template repo: zizmor.yml declared an action-pinning policy that no workflow ran (dead config), and the README claimed it was "enforced by the security scan" — a scan that did not exist. validate-scaffold.yaml (#3) gated the deploy/ scaffold but not the other half of the template's deliverable. Consolidate into validate-template.yaml (renamed from validate-scaffold.yaml) with two template-repo-only jobs: the existing kustomize-build gate plus a zizmor scan that enforces zizmor.yml against the workflows — the same scanner the rest of the portfolio runs. Both jobs are guarded to the template repo and no-op in tenants, mirroring cd.yaml/release.yaml. One workflow file keeps tenant check-noise to a single perpetually-skipped run instead of two. README's owned-files table and Validate-locally block updated to match. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Consolidates template-repo CI gates into a single validate-template.yaml workflow that runs both the existing kustomize scaffold check and a new zizmor action-pinning scan, making the previously-dead zizmor.yml policy actually enforced.
Changes:
- Renames
validate-scaffold.yaml→validate-template.yamland adds azizmorjob alongside the existing kustomize-build job, both guarded to run only in the template repo. - Uses
zizmorcore/zizmor-action@v0.5.6(hash-pinned) to enforce the existingzizmor.ymlpolicy across all template workflows. - Updates README's owned-files table and Validate locally block to reflect the renamed workflow and the now-real
zizmorenforcement.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
.github/workflows/validate-template.yaml |
New consolidated workflow with validate-scaffold and zizmor jobs, both template-repo-only. |
.github/workflows/validate-scaffold.yaml |
Deleted; superseded by validate-template.yaml. |
README.md |
Updates owned-files table and local-validation block to reference the new workflow and zizmor command. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Closing — this PR is based on a false premise. The org-wide ruleset ScanGitHubActions ( Nothing to salvage: the rename + README changes existed only to host the now-redundant job. The repo already has the |
Problem
The template's two deliverables are the
deploy/Kustomize scaffold and the framework-agnostic.github/workflows/plumbing — both template-owned and propagated to every tenant via template-sync. #3 addedvalidate-scaffold.yamlto gate the scaffold, but the workflow half was unguarded:zizmor.ymldeclared an action-pinning policy that no workflow ever ran — dead config.zizmor.ymlwas "enforced by the security scan," but no security scan existed — inaccurate docs.Change
Consolidate the scaffold gate and a new security scan into a single template-repo-only validation workflow:
validate-scaffold.yaml→validate-template.yamland add azizmorjob beside the existing kustomize-build job. Both are guardedif: github.repository == 'devantler-tech/gitops-tenant-template', so they no-op in tenants (symmetric tocd.yaml/release.yaml). One workflow file keeps tenant check-noise to a single perpetually-skipped run instead of two.zizmorjob useszizmorcore/zizmor-action(hash-pinnedv0.5.6) — the same scanner the rest of the portfolio runs (e.g.devantler-tech/actions) — and enforces the existingzizmor.ymlpolicy against the template's workflows.zizmor.ymlclaim is now true; the localzizmor .github/workflows/command added for CI parity).Validation (local)
zizmor --config zizmor.yml .github/workflows/→ No findings to report (clean across all 5 workflows incl. the new one) ✅actionlint .github/workflows/validate-template.yaml→ clean ✅kubectl kustomize deploy/→ unchanged (the existing job is byte-identical) ✅Note for the maintainer
Like
Validate Scaffoldbefore it (per #3's body), these jobs run and are visible but do not yet gate merges — the branch ruleset still requires onlyCI - Required Checks. If you'd like them to block, addValidate ScaffoldandScan Workflows (zizmor)to themainruleset's required-status-checks (a ruleset change is yours to make).