{"author":"Viktor Szakats","author_email":"commit@vsz.me","author_time":1746636987,"commit_time":1746652269,"committer":"Viktor Szakats","committer_email":"commit@vsz.me","hash":"e522f47986bb72f194636e155191d7dccdc2d4fc","message":"GHA/checksrc: check GHA rules with zizmor\n\nThe pedantic level is experimental. If it causes issues, we may just\ndisable it alongside the ignore comments.\n\nAlso:\n- silence error:\n  ```\n   INFO audit: zizmor: completed label.yml\n  error[dangerous-triggers]: use of fundamentally insecure workflow trigger\n    --> label.yml:13:1\n     |\n  13 | 'on': [pull_request_target]\n     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely\n     |\n     = note: audit confidence -> Medium\n  ```\n- fix pedantic warning:\n  ```\n   INFO audit: zizmor: completed label.yml\n  warning[excessive-permissions]: overly broad permissions\n    --> label.yml:1:1\n  ...  |\n  24 | |         with:\n  25 | |           repo-token: '${{ secrets.GITHUB_TOKEN }}'\n     | |____________________________________________________- default permissions used due to no permissions: block\n     |\n     = note: audit confidence -> Medium\n  ```\n- silence `template-injection` false positives like:\n  ```\n  - note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code\n  - note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code\n  ```\n  It doesn't seem like these could be controlled by an attacker.\n  Let me know if I'm missing something.\n\nCloses #17278\n","parents":["283ad5c4320fa1d733e60a0dbe216ee36e3924fb"],"tree_hash":"0f39968b6b0829917bc25f2b58ee859852908365"}