Skip to content

[zizmor] ignore superfluous-actions #7548

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
youknowone merged 12 commits into from
Apr 2, 2026
Merged

[zizmor] ignore superfluous-actions #7548

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
a49d7e5
Use `rustup`
ShaharNaveh Mar 30, 2026
211f6e7
fix
ShaharNaveh Mar 30, 2026
b6bc9c5
Fix miri
ShaharNaveh Mar 31, 2026
739a88f
Merge remote-tracking branch 'upstream/main' into ci-rustup
ShaharNaveh Mar 31, 2026
9d71f40
Revert `rustup` changes
ShaharNaveh Mar 31, 2026
ff15350
Use `dtolnay/rust-toolchain` instead of `rustup`
ShaharNaveh Mar 31, 2026
15178ce
Add zizmor conf
ShaharNaveh Mar 31, 2026
e843ddc
Pin to `@stable`
ShaharNaveh Mar 31, 2026
53381ae
Pin to `@stable` in `release.yml`
ShaharNaveh Mar 31, 2026
c7d5ec8
Remove leftover
ShaharNaveh Mar 31, 2026
b735410
Fix cargo check
ShaharNaveh Mar 31, 2026
b1ff16b
Fix conf
ShaharNaveh Mar 31, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 9 additions & 13 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,9 @@ jobs:
with:
persist-credentials: false

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- uses: dtolnay/rust-toolchain@stable
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "All dtolnay/rust-toolchain references in workflows:"
rg -nP 'uses:\s*dtolnay/rust-toolchain@' .github/workflows

echo
echo "Non-SHA refs (should be empty after pinning):"
rg -nP 'uses:\s*dtolnay/rust-toolchain@(?![0-9a-f]{40}\b)\S+' .github/workflows

echo
echo "Current upstream heads for convenience (pick reviewed SHAs, don't auto-trust):"
git ls-remote https://github.com/dtolnay/rust-toolchain refs/heads/master refs/heads/stable || true

Repository: RustPython/RustPython

Length of output: 2329

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== Verifying exact line ranges in ci.yaml ==="
echo "Line 53:"
sed -n '51,55p' .github/workflows/ci.yaml

echo
echo "Lines 172–174:"
sed -n '170,176p' .github/workflows/ci.yaml

echo
echo "Line 255:"
sed -n '253,257p' .github/workflows/ci.yaml

echo
echo "Line 368:"
sed -n '366,370p' .github/workflows/ci.yaml

echo
echo "Lines 426–429:"
sed -n '424,431p' .github/workflows/ci.yaml

echo
echo "Lines 452–454:"
sed -n '450,456p' .github/workflows/ci.yaml

echo
echo "Lines 529–531:"
sed -n '527,533p' .github/workflows/ci.yaml

Repository: RustPython/RustPython

Length of output: 1512

Pin dtolnay/rust-toolchain action references to commit SHAs instead of mutable tags.

Lines 53, 172–174, 255, 368, 426–429, 452–454, and 529–531 use mutable refs (@stable and @master). These can change without notice, compromising CI reproducibility and introducing supply chain risk. Line 426 with @master is especially problematic. Pin all references to full 40-character commit SHAs with a comment preserving the original tag/intent.

Suggested pattern 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8  # stable
         with:
           components: clippy
-      - uses: dtolnay/rust-toolchain@master
+      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9  # master
         with:
           toolchain: ${{ env.NIGHTLY_CHANNEL }}
           components: miri
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: dtolnay/rust-toolchain@stable
- uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yaml at line 53, Replace all uses of the reusable
action reference dtolnay/rust-toolchain that use mutable tags (e.g., `@stable` and
`@master`) with their corresponding full 40-character commit SHAs to avoid mutable
refs; update each occurrence (the instances currently written as
dtolnay/rust-toolchain@stable and dtolnay/rust-toolchain@master) to the exact
commit SHA and add a short comment on the same line preserving the original
tag/intent (for example: # originally `@stable`) so CI remains reproducible and
reviewers know the intended channel.

with:
components: clippy
toolchain: stable

- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
Expand Down Expand Up @@ -170,7 +169,9 @@ jobs:
restore-keys: |
cargo-check-${{ runner.os }}-${{ matrix.target }}-

- run: rustup toolchain install stable --target "${{ matrix.target }}"
- uses: dtolnay/rust-toolchain@stable
with:
target: ${{ matrix.target }}

- name: Setup Android NDK
if: ${{ matrix.target == 'aarch64-linux-android' }}
Expand Down Expand Up @@ -251,9 +252,7 @@ jobs:
with:
persist-credentials: false

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
with:
toolchain: stable
- uses: dtolnay/rust-toolchain@stable

- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
Expand Down Expand Up @@ -366,9 +365,8 @@ jobs:
with:
python-version: ${{ env.PYTHON_VERSION }}

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- uses: dtolnay/rust-toolchain@stable
with:
toolchain: stable
components: rustfmt

- uses: cargo-bins/cargo-binstall@113a77a4ce971c41332f2129c3d995df993cf746 # v1.17.8
Expand Down Expand Up @@ -425,7 +423,7 @@ jobs:
with:
persist-credentials: false

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- uses: dtolnay/rust-toolchain@master
with:
toolchain: ${{ env.NIGHTLY_CHANNEL }}
components: miri
Expand All @@ -451,10 +449,9 @@ jobs:
with:
persist-credentials: false

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
toolchain: stable

- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
Expand Down Expand Up @@ -529,10 +526,9 @@ jobs:
with:
persist-credentials: false

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- uses: dtolnay/rust-toolchain@stable
with:
target: wasm32-wasip1
toolchain: stable

- uses: Swatinem/rust-cache@c19371144df3bb44fab255c43d04cbc2ab54d1c4 # v2.9.1
with:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:
with:
persist-credentials: false

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- uses: dtolnay/rust-toolchain@stable
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "All rust-toolchain refs in release workflow:"
rg -nP 'uses:\s*dtolnay/rust-toolchain@' .github/workflows/release.yml

echo
echo "Non-SHA refs (should be empty after fix):"
rg -nP 'uses:\s*dtolnay/rust-toolchain@(?![0-9a-f]{40}\b)\S+' .github/workflows/release.yml

Repository: RustPython/RustPython

Length of output: 340

Pin dtolnay/rust-toolchain to an immutable commit SHA in the release workflow.

Lines 55 and 92 use mutable @stable reference. In a release workflow, mutable refs allow upstream changes to alter build and release behavior without review.

Suggested change

Replace both occurrences of @stable with a specific commit SHA (40 characters) and add a comment indicating the stable tag.

-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@<commit-sha> # stable

Determine the current commit SHA for the stable tag from the dtolnay/rust-toolchain repository.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/release.yml at line 55, Replace both mutable references of
the dtolnay/rust-toolchain action ("uses: dtolnay/rust-toolchain@stable") with
the repository's immutable 40-character commit SHA for the current stable tag
and add an inline comment noting which stable tag the SHA corresponds to; locate
and update the two occurrences in the release workflow where "uses:
dtolnay/rust-toolchain@stable" appears, fetch the current commit SHA from the
dtolnay/rust-toolchain GitHub repo for the stable tag, and use that SHA in place
of "@stable" so the workflow is pinned to a specific commit.

with:
target: ${{ matrix.target }}

Expand Down Expand Up @@ -89,7 +89,7 @@ jobs:
with:
persist-credentials: false

- uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9
- uses: dtolnay/rust-toolchain@stable
with:
targets: wasm32-wasip1

Expand Down
14 changes: 14 additions & 0 deletions .github/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
rules:
unpinned-uses:
config:
policies:
# dtolnay/rust-toolchain is a trusted action that uses lightweight branch
# refs (@stable, @nightly, etc.) by design. Pinning to a hash would break
# the intended usage pattern.
# We can remove this once https://github.com/dtolnay/rust-toolchain/issues/180 is resolved
dtolnay/rust-toolchain: any
# dtolnay/rust-toolchain handles component installation, target addition, and
# override configuration beyond what a bare `rustup` invocation provides.
# See: https://github.com/zizmorcore/zizmor/issues/1817
superfluous-actions:
disable: true
Loading