mirror of
https://github.com/astral-sh/ruff.git
synced 2025-12-23 09:19:58 +00:00
7ba176d395
## Summary
Also bumps `cargo dist` to 0.30, and moves us
back to the upstream copy of `dist` now that
the latest version has integrated our fork's
patches.
## Test Plan
See what happens in CI 🙂
---------
Signed-off-by: William Woodruff <william@astral.sh>
26 lines
919 B
YAML
26 lines
919 B
YAML
# Configuration for the zizmor static analysis tool, run via pre-commit in CI
|
|
# https://woodruffw.github.io/zizmor/configuration/
|
|
#
|
|
# TODO: can we remove the ignores here so that our workflows are more secure?
|
|
rules:
|
|
dangerous-triggers:
|
|
ignore:
|
|
- pr-comment.yaml
|
|
cache-poisoning:
|
|
ignore:
|
|
- build-docker.yml
|
|
excessive-permissions:
|
|
# it's hard to test what the impact of removing these ignores would be
|
|
# without actually running the release workflow...
|
|
ignore:
|
|
- build-docker.yml
|
|
- publish-docs.yml
|
|
secrets-inherit:
|
|
# `cargo dist` makes extensive use of `secrets: inherit`,
|
|
# and we can't easily fix that until an upstream release changes that.
|
|
disable: true
|
|
template-injection:
|
|
ignore:
|
|
# like with `secrets-inherit`, `cargo dist` introduces some
|
|
# template injections. We've manually audited these usages for safety.
|
|
- release.yml
|