Skip to content

feat: input for zizmor-version#1240

Closed
vgelbgras wants to merge 10 commits intomainfrom
feat/input-for-zizmor-version
Closed

feat: input for zizmor-version#1240
vgelbgras wants to merge 10 commits intomainfrom
feat/input-for-zizmor-version

Conversation

@vgelbgras
Copy link
Copy Markdown
Contributor

@vgelbgras vgelbgras commented Mar 27, 2026
edited
Loading

This pull request adds configurability to the Zizmor tool version in the check-actions-security GitHub Action. Instead of always installing a fixed version, users can now specify which version to use via an input parameter.

Enhancements to Zizmor version control:

  • Added a new input parameter zizmor-version to action.yml, allowing users to specify the desired Zizmor version (default remains '1.16.0').
  • Updated the installation step to use the specified Zizmor version, passing the version dynamically via an environment variable.
  • If the input is empty the latest version is installed

Tests:

  • Without defining the zizmor-version input
image
  • With the input set to 1.17.0
image
  • With the input set to an empty string to use the latest release of zizmor
image

@vgelbgras vgelbgras self-assigned this Mar 27, 2026
@github-actions github-actions bot added the enhancement General improvements to existing features label Mar 27, 2026
@vgelbgras vgelbgras marked this pull request as ready for review March 27, 2026 10:16
@vgelbgras vgelbgras requested a review from a team as a code owner March 27, 2026 10:16
SMoraisAnsys
SMoraisAnsys reviewed Apr 2, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@SMoraisAnsys SMoraisAnsys left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the proposed changes @vgelbgras

I don't have a strong opinion on allowing (or not) this new input. I would avoid allowing to use the latest version of zizmor through an empty string though. While I like the idea, it leads to running code that maintainers haven't had the chance to look into before running. Since we are moving toward pinned versions in CI and controlled versions, I would avoid that.

As for my though on the new input:
Pros:

  • would allow one to use a newer version of zizmor that isn't yet added to the ansys/actions latest release
  • would allow one to use a newly release version of ansys/actions (which contains zizmor bump and leads to required changes) while postponing temporarily the changes required to work with a new version of zizmor until one has the time to tackle them.
    Cons:
  • if one does pin a version, one can easily forget about it and this would lead to the use of an old version of zizmor without knowing it :/ This is probably the most critical part as it partially defeats the purpose of this action..

Note, we could add a "check" mechanism that triggers a warning if the version used is lower than the default version.

@vgelbgras
Copy link
Copy Markdown
Contributor Author

vgelbgras commented Apr 3, 2026

Thanks for the proposed changes @vgelbgras

I don't have a strong opinion on allowing (or not) this new input. I would avoid allowing to use the latest version of zizmor through an empty string though. While I like the idea, it leads to running code that maintainers haven't had the chance to look into before running. Since we are moving toward pinned versions in CI and controlled versions, I would avoid that.

As for my though on the new input: Pros:

  • would allow one to use a newer version of zizmor that isn't yet added to the ansys/actions latest release
  • would allow one to use a newly release version of ansys/actions (which contains zizmor bump and leads to required changes) while postponing temporarily the changes required to work with a new version of zizmor until one has the time to tackle them.
    Cons:
  • if one does pin a version, one can easily forget about it and this would lead to the use of an old version of zizmor without knowing it :/ This is probably the most critical part as it partially defeats the purpose of this action..

Note, we could add a "check" mechanism that triggers a warning if the version used is lower than the default version.

Hi @SMoraisAnsys, I removed the part to use the latest version if the input is an empty string
For saf teams, the interest of using the input version is to sync the version with what there is in the .pre-commit-config.yaml file

@vgelbgras vgelbgras closed this Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SMoraisAnsys SMoraisAnsys SMoraisAnsys left review comments

@klmcadams klmcadams Awaiting requested review from klmcadams klmcadams is a code owner automatically assigned from ansys/pyansys-core

@moe-ad moe-ad Awaiting requested review from moe-ad moe-ad is a code owner automatically assigned from ansys/pyansys-core

@MaxJPRey MaxJPRey Awaiting requested review from MaxJPRey MaxJPRey is a code owner automatically assigned from ansys/pyansys-core

@Revathyvenugopal162 Revathyvenugopal162 Awaiting requested review from Revathyvenugopal162 Revathyvenugopal162 is a code owner automatically assigned from ansys/pyansys-core

Assignees

@vgelbgras vgelbgras

Labels

enhancement General improvements to existing features

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@vgelbgras @SMoraisAnsys @pyansys-ci-bot