UID2-7011: skip zizmor scan when there is nothing to scan#253
Conversation
min_severity and fail_severity now resolve with precedence: explicit caller input > calling repo's ZIZMOR_MIN_SEVERITY / ZIZMOR_FAIL_SEVERITY Actions variable > central default (high / never). Callers should be bare (no with:) so the org-wide rollout can be retuned without touching 50+ caller files: a central default change here ships to every bare caller via the moving v3 tag, and a repo variable flips one repo with no PR at all. Effective values are unchanged for all existing callers: the input defaults move from concrete values to an empty sentinel, and the fallback chain reproduces the old defaults when neither input nor variable is set. Also makes this repo's own caller bare (same behaviour as before via the central defaults) and documents the three-lever precedence in the README. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
zizmor exit 3 (no inputs collected) now splits by intent: with the default scan_paths '.', it means the repo genuinely has no GitHub Actions content - legitimate for ruleset-injected runs that target every repo in an org - so the job skips green with a notice in the summary. With caller-specified scan_paths, an empty collection is more likely a typo'd path and keeps failing closed (the fail-open concern from the original review stands). This lets the UnifiedID2 required-workflow ruleset target ~ALL repos instead of maintaining an include-list of repos with workflows. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Revert the ZIZMOR_MIN_SEVERITY / ZIZMOR_FAIL_SEVERITY vars fallback and the empty-sentinel input defaults: minimal solution preferred - central control via bare callers inheriting the shared defaults is sufficient, and per-repo override support can be added later if staged per-repo gating turns out to need it. Inputs go back to concrete defaults (high / never). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Two things worth addressing on the new exit-3 handling before the gate flips to enforcing under UID2-7425 (non-blocking for merging this as staged report-only): 1. The skip-green path is fail-open and not falsifiable. On Suggest: grep (Realistic risk today is low — a GitHub-executed workflow lives in 2. This branch is untested and unreachable by this repo's own CI. Since Suggest: add a shell/bats fixture test (empty repo + default |
…gate Address review feedback on the exit-3 path: instead of a separate skip branch with its own summary and exit 0, a verified nothing-to-scan run (exit 3 on the default '.' scan, 'no inputs collected' confirmed in the scan log) flows through the shared summary block and the severity gate. The skip therefore carries the same evidence as a real run (version, paths, inputs audited: 0, floors, config, gate, full scan log) and passes the gate naturally since 3 is below every fail threshold. Exit 3 without the logged reason, or with explicit scan_paths, still fails closed. Verified with a fixture matrix: empty repo + default '.' (skips green, including under fail_severity: high), empty + explicit paths (fails), repo with workflows (normal path unchanged). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
|
Makes a repo with nothing to scan pass instead of fail, so the scan can be applied blanket-style (e.g. the UnifiedID2 required-workflow ruleset targeting
~ALLrepos).zizmor exit 3 ("no inputs collected") now splits by intent:
scan_paths: '.'→ the repo genuinely has no GitHub Actions content → skip green with a summary noticescan_paths→ an empty collection is a probable typo → fail closed, as beforeVerified empirically that a repo with no Actions content yields exit 3; actionlint + zizmor self-scan clean.
Also makes this repo's own caller bare (severity floors inherit the shared defaults — same effective values) and drops the
with:line from the README adoption example.Must merge and ship in a v3 release before uid2-okta-configuration#222 applies, since the ruleset-injected workflow calls
@v3.🤖 Generated with Claude Code