CI: Adopt reusable workflows, fix zizmor findings#169
Merged
tykeal merged 1 commit intoJun 30, 2026
Merged
Conversation
Replace the large inline build/test and release pipelines with thin
callers of the reusable multi-arch Python workflows from
lfreleng-actions/python-workflows, pinned to the v0.1.1 release commit.
The reusable workflows reproduce the canonical pipeline (metadata,
build, tests, audit, SBOM and Grype scan, fanned across the x64 + arm64
matrix); native NSS/NSPR prerequisites are supplied through the
committed setup script (.github/scripts/setup-nss.sh) consumed via the
reusable workflow's setup_script input. PyPI publishing stays in this
repository so the existing token credentials remain scoped here.
This collapses hundreds of lines of duplicated pipeline YAML and clears
the zizmor security findings reported against the repository:
* High excessive-permissions: the workflow-level "actions: write"
in build-test.yaml is gone with the inline cache-clear logic.
* Medium artipacked (credential persistence): the inline checkouts
that carried persisted credentials have been removed.
The remaining workflows are brought into line with the clean template:
* compatibility.yaml: add "persist-credentials: false" to both
checkouts. The fedora:44 CI container is intentionally tracked by
tag (not a frozen digest) so it keeps receiving Fedora security
rebuilds and stays aligned with the downstream Sigul consumer, so
the High unpinned-images finding is suppressed inline with a
documented rationale rather than pinned to a digest.
* advanced-tests.yaml: add "persist-credentials: false" to all six
checkout steps.
The default-persona zizmor scan (the persona the GitHub code-scanning
upload uses) now reports no findings.
Co-Authored-By: Claude <noreply@anthropic.com>
Signed-off-by: Matthew Watkins <mwatkins@linuxfoundation.org>
Copilot started reviewing on behalf of
ModeSevenIndustrialSolutions
June 30, 2026 14:40
View session
There was a problem hiding this comment.
Pull request overview
This PR migrates the repository’s build/test and tag-release GitHub Actions pipelines to thin “caller” workflows that delegate the heavy lifting to pinned reusable multi-arch workflows in lfreleng-actions/python-workflows (v0.1.1), while also addressing outstanding zizmor security findings in existing workflows.
Changes:
- Replaced the in-repo build/test and build/test/release workflow logic with calls to reusable multi-arch workflows (pinned by commit SHA).
- Added
persist-credentials: falsetoactions/checkoutin multiple workflows to address zizmorartipackedfindings. - Documented and intentionally suppressed zizmor
unpinned-imagesfor thefedora:44CI container with rationale.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/workflows/compatibility.yaml | Documents fedora:44 tag-tracking rationale + suppresses unpinned-images; adds persist-credentials: false to checkouts. |
| .github/workflows/build-test.yaml | Converts to a thin caller of the pinned reusable multi-arch build/test workflow, passing NSS/NSPR setup inputs. |
| .github/workflows/build-test-release.yaml | Converts to a thin caller of the pinned reusable multi-arch release workflow and keeps PyPI publishing jobs locally. |
| .github/workflows/advanced-tests.yaml | Adds persist-credentials: false to checkouts to reduce token persistence risk. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Copilot started reviewing on behalf of
ModeSevenIndustrialSolutions
June 30, 2026 14:48
View session
tykeal
approved these changes
Jun 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Migrates the build/test and release pipelines to the reusable multi-arch
Python workflows from
lfreleng-actions/python-workflows(pinned to the v0.1.1 release commit
4f48e1c), and clears theoutstanding zizmor security findings reported against the repository.
Workflow migration
build-test.yaml→ thin caller ofbuild-test-multiarch.yaml.build-test-release.yaml→ thin caller ofbuild-test-release-multiarch.yaml, with thetest-pypi/pypipublish jobs kept in this repository (publishing credentials are
repository-scoped). The reusable
releasejob builds, tests, audits,scans, attaches artefacts and promotes the draft release; the publish
jobs upload the run-scoped
dist-*artefacts it produces..github/scripts/setup-nss.sh, consumed via the reusable workflow'ssetup_scriptinput (plusmake/make_argsfor the source build).This matches the canonical wiring used by
python-workflows/.github/workflows/testing.yaml.TEST_PYPI_CREDENTIAL/PYPI_CREDENTIAL) and thedevelopment/productionenvironmentsare preserved — no PyPI trusted-publisher reconfiguration required.
Net change: +102 / −1721 lines.
Security findings (zizmor)
excessive-permissionsbuild-test.yaml(actions: write)unpinned-imagescompatibility.yaml(fedora:44)artipackedbuild-test*.yamlartipackedadvanced-tests.yaml(×6),compatibility.yaml(×2)persist-credentials: falseThe default-persona zizmor scan (the persona the GitHub code-scanning
upload uses) now reports no findings.
On
fedora:44: the container is intentionally tracked by tag (not afrozen digest) so it keeps receiving Fedora's security rebuilds and
stays aligned with the downstream Sigul signing consumer
(
FROM fedora:44). Because this is a CI test container — not a releaseor runtime artefact — the
unpinned-imagesfinding is suppressed inlinewith
# zizmor: ignore[unpinned-images]and a documented rationale,rather than pinned to a digest (which would freeze the security
rebuilds out). The previous comment claiming a tag pin satisfies the
audit was incorrect and has been corrected.
CodeQL default-setup conflict (resolved out-of-band)
This repo has a custom (advanced) CodeQL workflow (
codeql.yml,via
reuse-python-codeql.yaml) and GitHub's CodeQL defaultsetup was also
configured— the two conflict, which is what causedthe SARIF upload failures in code scanning. The default setup has been
disabled (
state: not-configured) so the advanced workflow now ownscode scanning. No file change is involved; this is a repository setting.
Validation
zizmor(default + auditor personas) — default persona clean.prek run(yamllint, actionlint, reuse lint, codespell, workflowvalidators) — all pass.