Open
Description
Thanks for moving this to a dedicated action! I was looking forward to dropping the intermediate "setup uv; uv install zizmor" step but it looks like GHE users won't be able to do this for now.
Given this workflow file:
---
name: GitHub Actions Security Analysis with zizmor 🌈
on:
push:
paths:
- ".github/workflows/*"
jobs:
zizmor:
name: zizmor
runs-on: self-hosted
permissions:
security-events: write
contents: read
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
persist-credentials: false
- name: Run zizmor
uses: zizmorcore/zizmor-action@v0.1.1 #f52a838cfabf134edcbaa7c8b3677dde20045018
with:
advanced-security: falseI get this error:
Download action repository 'github/codeql-action@ff0a06e83cb2de871e5a09832bc6a81e7276941f' (SHA:ff0a06e83cb2de871e5a09832bc6a81e7276941f)
Error: An action could not be found at the URI 'https://github.corp.internal/api/v3/repos/github/codeql-action/tarball/ff0a06e83cb2de871e5a09832bc6a81e7276941f'
Apparently, the with.advanced-security: false is evaluated after trying to resolve the uses: ... key. I'm not sure what the solution is in this case.
For anybody else that hits this edge case, the workaround is to use uv as an intermediate:
- name: Install the latest version of uv
uses: astral-sh/setup-uv@v5
env:
GITHUB_TOKEN: ${{ secrets.PUBLIC_GITHUB_TOKEN }}
- name: Run zizmor
run: uvx zizmor --format plain .github/workflows
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_HOST: github.corp-internal.comMetadata
Metadata
Assignees
Labels
No labels