Skip to content

ci: harden welcome.yml and silence zizmor dangerous-triggers#908

Open
anevolbap wants to merge 1 commit into
pymc-labs:mainfrom
anevolbap:issue-888-zizmor-welcome-workflow
Open

ci: harden welcome.yml and silence zizmor dangerous-triggers#908
anevolbap wants to merge 1 commit into
pymc-labs:mainfrom
anevolbap:issue-888-zizmor-welcome-workflow

Conversation

@anevolbap
Copy link
Copy Markdown
Contributor

@anevolbap anevolbap commented May 7, 2026
edited
Loading

Resolve zizmor dangerous-triggers alert on welcome.yml

Closes #888.

Summary

The welcome workflow uses pull_request_target so it can comment and label PRs from forks (the read-only pull_request token cannot write). zizmor flags this trigger categorically, but the usage here is one of the documented safe cases. This PR suppresses the alert with an inline justification and applies defense-in-depth hardening so the rationale lives next to the code.

Changes

  • Inline # zizmor: ignore[dangerous-triggers] on the trigger with a short justification.
  • Top-level permissions: {} (deny-all), with issues: write and pull-requests: write moved to the job.
  • Hoist github.actor into a job-level env: ACTOR and reference ${{ env.ACTOR }} in the action inputs.

No behavior change.

Testing

  • prek run --files .github/workflows/welcome.yml passes.
  • The workflow itself only runs on real pull_request_target / issues events, so end-to-end validation will happen on the next first-time contributor event.

@anevolbap
ci: harden welcome.yml and document pull_request_target use
b2ae632 
Suppress zizmor dangerous-triggers with an inline justification, set
top-level permissions to {} and grant issues/pull-requests write at the
job level only, and hoist github.actor into env:.

Closes pymc-labs#888
@anevolbap
Copy link
Copy Markdown
Contributor Author

anevolbap commented May 7, 2026

Going with option 1 from the issue: inline zizmor ignore with a written justification, top-level permissions: {} with the writes moved to job level, and github.actor hoisted into env: ACTOR. No behavior change. The other options stay on the table if the alert pattern resurfaces or the workflow grows to actually touch PR contents.

@anevolbap anevolbap mentioned this pull request May 7, 2026
Open
@codecov
Copy link
Copy Markdown

codecov Bot commented May 7, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.87%. Comparing base (e14d731) to head (b2ae632).

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #908   +/-   ##
=======================================
  Coverage   94.87%   94.87%           
=======================================
  Files          85       85           
  Lines       13174    13174           
  Branches      793      793           
=======================================
  Hits        12499    12499           
  Misses        479      479           
  Partials      196      196

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@read-the-docs-community
Copy link
Copy Markdown

read-the-docs-community Bot commented May 7, 2026

Documentation build overview

📚 causalpy | 🛠️ Build #32579631 | 📁 Comparing b2ae632 against latest (e14d731)

  🔍 Preview build  

25 files changed · ± 25 modified

± Modified

@juanitorduz juanitorduz requested a review from drbenvincent May 7, 2026 09:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@drbenvincent drbenvincent Awaiting requested review from drbenvincent

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Resolve zizmor dangerous-triggers alert on welcome.yml

1 participant

@anevolbap