Skip to content

gateway: emit zizmor unpinned-tools ignore off the uses: line (closes #952)#1034

Open
potiuk wants to merge 1 commit into
mainfrom
fix/dependabot-zizmor-version-comment
Open

gateway: emit zizmor unpinned-tools ignore off the uses: line (closes #952)#1034
potiuk wants to merge 1 commit into
mainfrom
fix/dependabot-zizmor-version-comment

Conversation

@potiuk

@potiuk potiuk commented Jul 12, 2026

Copy link
Copy Markdown
Member

Fixes #952.

Problem

Dependabot's github_actions comment-updater only rewrites a # vX.Y.Z comment when the version is the trailing token -- file_updater.rb deliberately skips comments with text after the version (comment.end_with?(version)). The gateway emitted the sentinel step's zizmor ignore right after the version on the uses: line:

- uses: 1Password/load-secrets-action@<sha>  # v4.0.0  # zizmor: ignore[unpinned-tools] ...

so on a bump Dependabot updated the hash but left # v4.0.0 stale, and zizmor's ref-version-mismatch (medium) then failed CI -- fixed by hand in #932 and set to recur on every future bump of an ignored action.

Fix

Emit the ignore on the if: false line instead:

    - uses: 1Password/load-secrets-action@<sha>  # v4.0.1
      if: false  # zizmor: ignore[unpinned-tools] generated sentinel step is never executed
      with:
        version: "2.30.0"

It's still within the sentinel step's finding span (zizmor docs), so unpinned-tools stays suppressed, while the version tag is now the trailing token on the uses: line, so Dependabot keeps it in sync.

  • gateway.py: build the uses: comment from the tag only; append the ignore to the if: false line.
  • Regenerated .github/actions/for-dependabot-triggered-reviews/action.yml (2-line diff).
  • test_gateway.py: assert the new placement and that the ignore never lands on the uses: line.
  • Verified: gateway / allowlist-check tests pass, prek clean, zizmor clean on the composite, and the composite -> actions.yml read-back round-trips with no diff.

🤖 Generated with Claude Code

…952)

Dependabot's github_actions comment-updater only rewrites a version comment
when the version is the trailing token of the comment; if any text follows
(file_updater.rb: `comment.end_with?(version)`), it skips the update for
safety. The gateway emitted the sentinel step's zizmor ignore right after the
version on the uses: line:

    - uses: 1Password/load-secrets-action@<sha>  # v4.0.0  # zizmor: ignore[unpinned-tools] ...

so Dependabot bumped the hash but left the version stale, and zizmor's
ref-version-mismatch (medium) then failed CI (had to be fixed by hand in #932).

Emit the ignore on the `if: false` line instead -- still within the sentinel
step's finding span (https://docs.zizmor.sh/usage/#ignoring-results), so
unpinned-tools stays suppressed -- leaving the version tag as the trailing
token of the uses: comment so Dependabot keeps it in sync. The composite is
regenerated accordingly; the composite->actions.yml read-back is unchanged and
round-trips cleanly.

Generated-by: Claude Opus 4.8 (1M context) via Claude Code
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

dependabot leaves a stale version comment on uses: lines carrying a trailing # zizmor: ignore[...]

1 participant