Kusari Analysis Results

Analysis for commit: 972c1ee, performed at: 2025-08-12T12:32:55Z

• @kusari-inspector rerun - Trigger a re-analysis of this PR

• @kusari-inspector feedback [your message] - Send feedback to our AI and team

Recommendation

✅ PROCEED with this Pull Request

Summary

✅ No Flagged Issues Detected

All values appear to be within acceptable risk parameters.

No pinned version dependency changes, code issues or exposed secrets detected!

Found this helpful? Give it a 👍 or 👎 reaction!

Hi @martincostello, thanks for the PR!

That's actually an error in the README 😅 -- I originally intended for it to be the exact tag at it appears on zizmor's Docker images: https://github.com/zizmorcore/zizmor/pkgs/container/zizmor

(I did that in turn because it's my understanding that Docker version tags are conventionally not prefixed with v, but I might be wrong about that.)

I guess I'm not opposed to allowing v as well and then stripping it off as this PR does, but out of curiosity: would it be troublesome for your use case to have it remain unprefixed?

I think initially it was because I thought that renovate would provide the version with the v prefix because that's the name of the tag, so I'd have to trim it myself anyway, though I've subsequently found that isn't the case.

However, for the minimal change needed to support the v prefix (e.g. if someone is manually getting the version by querying GitHub for the latest release), I think it's worth supporting anyway to make people's lives easier and avoid one possible foot-gun when adopting the tool.

I think initially it was because I thought that renovate would provide the version with the v prefix because that's the name of the tag, so I'd have to trim it myself anyway, though I've subsequently found that isn't the case.

Oh, can Renovate update these kinds of version fields? That's pretty surprising to me, since in this case it's an entirely custom field that just happens to map to a Docker image tag on GHCR

I think it's worth supporting anyway to make people's lives easier and avoid one possible foot-gun when adopting the tool.

Agreed; I'll do a full review later today 🙂

I thought it could, but it can't without me refactoring my initial code snippet.

I added up with this:

env:
  # renovate: datasource=github-releases depName=zizmor packageName=zizmorcore/zizmor
  ZIZMOR_VERSION: '1.11.0'

# then later...

    - name: Lint workflows with zizmor
      uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
      with:
        persona: pedantic
        version: ${{ env.ZIZMOR_VERSION }}

It leverages the customManagers:githubActionsVersions preset.

Gotcha. TIL about that feature of Renovate as well.

Thanks @martincostello!