mirrors/zizmor
1
0
Fork 0
mirror of https://github.com/zizmorcore/zizmor.git synced 2025-12-23 08:47:33 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

feat: decrease sensitivity of concurrency-limits audit (#1303)
Some checks failed
CI / Lint (push) Has been cancelled
Details
CI / Test (push) Has been cancelled
Details
CI / Test site build (push) Has been cancelled
Details
zizmor wheel builds for PyPI 🐍 / Build Linux wheels (manylinux) (push) Has been cancelled
Details
zizmor wheel builds for PyPI 🐍 / Build Linux wheels (musllinux) (push) Has been cancelled
Details
zizmor wheel builds for PyPI 🐍 / Build Windows wheels (push) Has been cancelled
Details
zizmor wheel builds for PyPI 🐍 / Build macOS wheels (push) Has been cancelled
Details
zizmor wheel builds for PyPI 🐍 / Build source distribution (push) Has been cancelled
Details
Deploy zizmor documentation site 🌐 / Deploy zizmor documentation to GitHub Pages 🌐 (push) Has been cancelled
Details
GitHub Actions Security Analysis with zizmor 🌈 / Run zizmor 🌈 (push) Has been cancelled
Details
CI / All tests pass (push) Has been cancelled
Details
zizmor wheel builds for PyPI 🐍 / Release (push) Has been cancelled
Details

Browse source
This commit is contained in:
William Woodruff 2025-10-31 16:09:11 -04:00 committed by GitHub
parent de6ef65ba0
commit 14f57d9ca6
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 13 additions and 37 deletions
Download patch file Download diff file Expand all files Collapse all files

30
crates/zizmor/src/audit/concurrency_limits.rs
View file

@ -6,7 +6,7 @@ use crate::{
state::AuditState,
};
use anyhow::Result;
use github_actions_models::{common::expr::BoE, workflow::Concurrency};
use github_actions_models::workflow::Concurrency;
pub(crate) struct ConcurrencyLimits;
@ -28,29 +28,6 @@ impl Audit for ConcurrencyLimits {
) -> Result<Vec<Finding<'doc>>> {
let mut findings = vec![];
match &workflow.concurrency {
Some(Concurrency::Rich {
group: _,
cancel_in_progress,
}) => {
if let BoE::Literal(cancel) = &cancel_in_progress
&& !cancel
{
findings.push(
Self::finding()
.confidence(Confidence::High)
.severity(Severity::Low)
.persona(Persona::Pedantic)
.add_location(
workflow
.location()
.primary()
.with_keys(["concurrency".into()])
.annotated("cancel-in-progress set to false"),
)
.build(workflow)?,
);
};
}
Some(Concurrency::Bare(_)) => {
findings.push(
Self::finding()
@ -82,6 +59,11 @@ impl Audit for ConcurrencyLimits {
.build(workflow)?,
);
}
// NOTE: Per #1302, we don't nag the user if they've explicitly set
// `cancel-in-progress: false` or similar. This is like with the
// artipacked audit, where `persist-credentials: true` is seen as
// a positive signal of user intent.
_ => {}
}
Ok(findings)

15
crates/zizmor/tests/integration/snapshot.rs
View file

@ -1078,6 +1078,7 @@ fn concurrency_limits() -> Result<()> {
"
);
// Note: per #1302, we intentionally don't produce findings here.
insta::assert_snapshot!(
zizmor()
.input(input_under_test(
@ -1085,19 +1086,7 @@ fn concurrency_limits() -> Result<()> {
))
.args(["--persona=pedantic"])
.run()?,
@r"
help[concurrency-limits]: insufficient job-level concurrency limits
--> @@INPUT@@:5:1
|
5 | / concurrency:
6 | | group: ${{ github.workflow }}-${{ github.event.pull_request_number || github.ref }}
7 | | cancel-in-progress: false
| |___________________________^ cancel-in-progress set to false
|
= note: audit confidence High
1 finding: 0 informational, 1 low, 0 medium, 0 high
"
@"No findings to report. Good job!"
);
insta::assert_snapshot!(

5
docs/release-notes.md
View file

@ -9,6 +9,11 @@ of `zizmor`.
## Next (UNRELEASED)
### Enhancements 🌱
* The [concurrency-limits] audit no longer flags explicit user concurrency
overrides, e.g. `cancel-in-progress: false` (#1302)
## 1.16.1
### Enhancements 🌱