zizmorcore · woodruffw · Jun 5, 2025 · May 28, 2025 · May 28, 2025 · May 28, 2025
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
diff --git a/Makefile b/Makefile
@@ -1,23 +1,3 @@
-VENV ?= .venv
-
-.PHONY: dev
-dev: $(VENV)/pyvenv.cfg
-
-$(VENV)/pyvenv.cfg: dev-requirements.txt
-	uv venv $(VENV)
-	uv pip install -r $<
-
-.PHONY: lint
-lint: $(VENV)/pyvenv.cfg
-	uv run ruff format --check && \
-	uv run ruff check && \
-	uv run mypy .
-
-.PHONY: format
-format: $(VENV)/pyvenv.cfg
-	uv run ruff format && \
-	uv run ruff check --fix
-
 .PHONY: pinact
 pinact:
 	pinact run --update --verify
diff --git a/README.md b/README.md
@@ -3,7 +3,9 @@
 Run [`zizmor`] from GitHub Actions!
 
 > [!WARNING]
-> This action is not ready for public use!
+> This action is ready for public use, but it is still in early development.
+> Please report any issues you encounter, and be aware that backwards
+> incompatible changes may be made until a stable version is released.
 
 ## Table of Contents
 
@@ -17,13 +19,16 @@ Run [`zizmor`] from GitHub Actions!
   - [`token`](#token)
   - [`advanced-security`](#advanced-security)
 - [Permissions](#permissions)
+- [Troubleshooting](#troubleshooting)
 
 ## Quickstart
 
 This section lists a handful of quick-start examples to get you up and
 running with `zizmor` and `zizmor-action`. See the [Inputs](#inputs)
 section for more details on how `zizmor-action` can be configured.
 
+If you run into any issues, please see the [Troubleshooting] section!
+
 ### Usage with Github Advanced Security (recommended)
 
 > [!IMPORTANT]
@@ -235,10 +240,31 @@ contents: read
 security-events: write"}
 ```
 
+## Troubleshooting
+
+### "Cannot run this action without Docker"
+
+This action uses a container to run `zizmor`, which means that it
+needs access to a container runtime (like Docker).
+
+If you see this error, it _probably_ means that you are running the
+action from a self-hosted runner, or from one of the GitHub-hosted runners
+that does not have Docker installed. For example, the GitHub-hosted
+macOS runners do not have Docker installed by default.
+
+For self-hosted runners, you should install Docker (or a compatible
+container runtime) onto the runner.
+
+For GitHub-hosted runners, you should switch to `ubuntu-latest` or another
+Linux-based runner that comes with Docker by default. You _may_ be
+able to use [docker/setup-docker-action] to install Docker on other runners,
+but this is **not officially supported** by this action.
+
 [`zizmor`]: https://docs.zizmor.sh
 [Advanced Security]: https://docs.github.com/en/get-started/learning-about-github/about-github-advanced-security
 [About code scanning alerts - Pull request check failures for code scanning alerts]: https://docs.github.com/en/code-security/code-scanning/managing-code-scanning-alerts/about-code-scanning-alerts#pull-request-check-failures-for-code-scanning-alerts
 [Input collection]: https://docs.zizmor.sh/usage/#input-collection
 [Audit Rules]: https://docs.zizmor.sh/audits/
 [Using personas]: https://docs.zizmor.sh/usage/#using-personas
 [Filtering results]: https://docs.zizmor.sh/usage/#filtering-results
+[docker/setup-docker-action]: https://github.com/docker/setup-docker-action
diff --git a/action.py b/action.py
diff --git a/action.sh b/action.sh
@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+
+# action.sh: run zizmor via Docker
+
+set -euo pipefail
+
+dbg() {
+    echo "::debug::${*}"
+}
+
+warn() {
+    echo "::warning::${*}"
+}
+
+err() {
+    echo "::error::${*}"
+}
+
+die() {
+  err "${*}"
+  exit 1
+}
+
+installed() {
+    command -v "${1}" >/dev/null 2>&1
+}
+
+output() {
+    echo "${1}=${2}" >> "${GITHUB_OUTPUT}"
+}
+
+installed docker || die "Cannot run this action without Docker"
+
+[[ "${RUNNER_OS}" != "Linux" ]] && warn "Unsupported runner OS: ${RUNNER_OS}"
+
+output="${RUNNER_TEMP}/zizmor"
+
+version_regex='^[0-9]+\.[0-9]+\.[0-9]+$'
+
+[[ "${GHA_ZIZMOR_VERSION}" == "latest" || "${GHA_ZIZMOR_VERSION}" =~ $version_regex ]] \
+    || die "'version' must be 'latest' or an exact X.Y.Z version"
+
+arguments=()
+arguments+=("--persona=${GHA_ZIZMOR_PERSONA}")
+
+if [[ "${GHA_ZIZMOR_ADVANCED_SECURITY}" == "true" ]]; then
+    arguments+=("--format=sarif")
+    output "sarif-file" "${output}"
+fi
+
+[[ "${GHA_ZIZMOR_ONLINE_AUDITS}" == "true" ]] || arguments+=("--no-online-audits")
+[[ -n "${GHA_ZIZMOR_MIN_SEVERITY}" ]] && arguments+=("--min-severity=${GHA_ZIZMOR_MIN_SEVERITY}")
+[[ -n "${GHA_ZIZMOR_MIN_CONFIDENCE}" ]] && arguments+=("--min-confidence=${GHA_ZIZMOR_MIN_CONFIDENCE}")
+
+image="ghcr.io/zizmorcore/zizmor:${GHA_ZIZMOR_VERSION}"
+
+# Notes:
+# - We run the container with ${GITHUB_WORKSPACE} mounted as /workspace
+#   and with /workspace as the working directory, so that user inputs
+#   like '.' resolve correctly.
+# - We pass the GitHub token as an environment variable so that zizmor
+#   can run online audits/perform online collection if requested.
+# - We pass FORCE_COLOR=1 so that the output is always colored, even
+#   though we intentionally don't `docker run -it`.
+# - ${GHA_ZIZMOR_INPUTS} is intentionally not quoted, so that
+#   it can expand according to the shell's word-splitting rules.
+#   However, we put it after `--` so that it can't be interpreted
+#   as one or more flags.
+#
+# shellcheck disable=SC2086
+docker run \
+    --rm \
+    --volume "${GITHUB_WORKSPACE}:/workspace:ro" \
+    --workdir "/workspace" \
+    --env "GH_TOKEN=${GHA_ZIZMOR_TOKEN}" \
+    --env "FORCE_COLOR=1" \
+    "${image}" \
+    "${arguments[@]}" \
+    -- \
+    ${GHA_ZIZMOR_INPUTS} \
+        | tee "${output}"
+
diff --git a/action.yml b/action.yml
@@ -60,15 +60,10 @@ inputs:
 runs:
   using: composite
   steps:
-    - name: Install uv
-      uses: astral-sh/setup-uv@f0ec1fc3b38f5e7cd731bb6ce540c5af426746bb # v6.1.0
-      with:
-        enable-cache: false
-
     - name: Run zizmor
       id: run-zizmor
       run: |
-        "${GITHUB_ACTION_PATH}/action.py"
+        "${GITHUB_ACTION_PATH}/action.sh"
       env:
         GHA_ZIZMOR_INPUTS: ${{ inputs.inputs }}
         GHA_ZIZMOR_ONLINE_AUDITS: ${{ inputs.online-audits }}

diff --git a/dev-requirements.txt b/dev-requirements.txt