Added GitHub Actions linter (zizmor).

At the direction of the Security Team. Thanks Markus Holtermann, Jake Howard, and Natalia Bidart for reviews.
2025-12-11 03:43:00 +00:00 · 2025-11-14 13:30:30 -05:00 · 2025-11-14 13:30:30 -05:00 · 09d4bf5cd9
commit 09d4bf5cd9
parent a523d5c833
5 changed files with 32 additions and 7 deletions
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@ -60,3 +60,14 @@ jobs:
        uses: actions/checkout@v5
      - name: black
        uses: psf/black@stable
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          advanced-security: false
+          annotations: true
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@ -24,3 +24,7 @@ repos:
    rev: v9.36.0
    hooks:
      - id: eslint
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.16.3 
+    hooks:
+    - id: zizmor
--- a/docs/internals/contributing/writing-code/submitting-patches.txt
+++ b/docs/internals/contributing/writing-code/submitting-patches.txt
@ -432,8 +432,8 @@ All code changes

 * Does the :doc:`coding style
  </internals/contributing/writing-code/coding-style>` conform to our
-  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``, or
-  ``isort`` errors? You can install the :ref:`pre-commit
+  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``,
+  ``isort``, or ``zizmor`` errors? You can install the :ref:`pre-commit
  <coding-style-pre-commit>` hooks to automatically catch these errors.
 * If the change is backwards incompatible in any way, is there a note
  in the release notes (``docs/releases/A.B.txt``)?
--- a/docs/internals/contributing/writing-code/unit-tests.txt
+++ b/docs/internals/contributing/writing-code/unit-tests.txt
@ -69,11 +69,11 @@ command from any place in the Django source tree:
    $ tox

 By default, ``tox`` runs the test suite with the bundled test settings file for
-SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, ``lint-docs`` and
-the documentation spelling checker. In addition to the system dependencies
-noted elsewhere in this documentation, the command ``python3`` must be on your
-path and linked to the appropriate version of Python. A list of default
-environments can be seen as follows:
+SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, ``lint-docs``,
+``zizmor``, and the documentation spelling checker. In addition to the system
+dependencies noted elsewhere in this documentation, the command ``python3``
+must be on your path and linked to the appropriate version of Python. A list of
+default environments can be seen as follows:

 .. console::

@ -85,6 +85,7 @@ environments can be seen as follows:
    docs
    isort>=7.0.0
    lint-docs
+    zizmor>=1.16.3

 Testing other Python versions and database backends
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/tox.ini
+++ b/tox.ini
@ -14,6 +14,7 @@ envlist =
    docs
    isort
    lint-docs
+    zizmor

 # Add environment to use the default python3 installation
 [testenv:py3]
@ -98,3 +99,11 @@ deps = sphinx-lint
 changedir = docs
 commands =
    make lint
+
+[testenv:zizmor]
+basepython = python3
+usedevelop = false
+deps = zizmor >= 1.16.3
+changedir = {toxinidir}
+commands =
+    zizmor .