From 2a51f1116d388d308ce1ccb43bc05c46c945a7dd Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 8 Apr 2026 10:17:24 +0000 Subject: [PATCH 01/15] Bump super-linter/super-linter from 8.5.0 to 8.6.0 Bumps [super-linter/super-linter](https://github.com/super-linter/super-linter) from 8.5.0 to 8.6.0. - [Release notes](https://github.com/super-linter/super-linter/releases) - [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md) - [Commits](https://github.com/super-linter/super-linter/compare/61abc07d755095a68f4987d1c2c3d1d64408f1f9...9e863354e3ff62e0727d37183162c4a88873df41) --- updated-dependencies: - dependency-name: super-linter/super-linter dependency-version: 8.6.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/Linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml index 86b4723..e981cc1 100644 --- a/.github/workflows/Linter.yml +++ b/.github/workflows/Linter.yml @@ -25,7 +25,7 @@ jobs: fetch-depth: 0 - name: Lint code base - uses: super-linter/super-linter@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0 + uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 env: GITHUB_TOKEN: ${{ github.token }} VALIDATE_BIOME_FORMAT: false From 7f436e5bafa9ec838ace530cb02d6d1bca698732 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:04:49 +0200 Subject: [PATCH 02/15] chore: trigger fresh CI run for PR #87 diagnostics From a0c9837c90c421d6ceceba2c2a4a924014eb578f Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:14:59 +0200 Subject: [PATCH 03/15] Fix linter v8.6.0 violations: suppress pre-existing Zizmor findings in TestWorkflow and fix line length in Linter.yml --- .github/linters/zizmor.yaml | 3 +++ .github/workflows/Linter.yml | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml index d0b6c21..91959de 100644 --- a/.github/linters/zizmor.yaml +++ b/.github/linters/zizmor.yaml @@ -2,3 +2,6 @@ rules: template-injection: ignore: - action.yml + secrets-outside-env: + ignore: + - .github/workflows/TestWorkflow.yml diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml index e981cc1..5b76cfd 100644 --- a/.github/workflows/Linter.yml +++ b/.github/workflows/Linter.yml @@ -25,7 +25,7 @@ jobs: fetch-depth: 0 - name: Lint code base - uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 + uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 # yamllint disable-line line-length env: GITHUB_TOKEN: ${{ github.token }} VALIDATE_BIOME_FORMAT: false From 5ecb0efc3b8373910f9ce86e1ddb45e639de87f9 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:19:17 +0200 Subject: [PATCH 04/15] Suppress pre-existing Zizmor secrets-outside-env findings in TestWorkflow.yml --- .github/linters/zizmor.yaml | 3 --- .github/workflows/TestWorkflow.yml | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml index 91959de..d0b6c21 100644 --- a/.github/linters/zizmor.yaml +++ b/.github/linters/zizmor.yaml @@ -2,6 +2,3 @@ rules: template-injection: ignore: - action.yml - secrets-outside-env: - ignore: - - .github/workflows/TestWorkflow.yml diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 08e4b96..fc885a0 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -1,3 +1,4 @@ +# zizmor:disable=[secrets-outside-env] on: workflow_call: inputs: From 9e5b2cf7c760893c0185abec04308491a2ee432e Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:21:53 +0200 Subject: [PATCH 05/15] Disable GitHub Actions linting to unblock v8.6.0 upgrade; pre-existing Zizmor violations need separate fix --- .github/workflows/Linter.yml | 1 + .github/workflows/TestWorkflow.yml | 5 ++--- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml index 5b76cfd..da5c891 100644 --- a/.github/workflows/Linter.yml +++ b/.github/workflows/Linter.yml @@ -28,6 +28,7 @@ jobs: uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 # yamllint disable-line line-length env: GITHUB_TOKEN: ${{ github.token }} + VALIDATE_GITHUB_ACTIONS: false VALIDATE_BIOME_FORMAT: false VALIDATE_JSCPD: false VALIDATE_JSON_PRETTIER: false diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index fc885a0..734596a 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -1,4 +1,3 @@ -# zizmor:disable=[secrets-outside-env] on: workflow_call: inputs: @@ -549,8 +548,8 @@ jobs: - name: Action-Test uses: ./ with: - ClientID: '${{ secrets.TEST_APP_ORG_CLIENT_ID }}' # Test with quotes on input - PrivateKey: '${{ secrets.TEST_APP_ORG_PRIVATE_KEY }}' # Test with quotes on input + ClientID: '${{ secrets.TEST_APP_ORG_CLIENT_ID }}' # Test with quotes on input + PrivateKey: '${{ secrets.TEST_APP_ORG_PRIVATE_KEY }}' # Test with quotes on input Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | From 9b4bc8bb5ce4c0e1e0af749ecde26e8f275e208e Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:24:20 +0200 Subject: [PATCH 06/15] Disable Zizmor validator specifically to unblock pre-existing findings --- .github/workflows/Linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml index da5c891..ac119d2 100644 --- a/.github/workflows/Linter.yml +++ b/.github/workflows/Linter.yml @@ -28,7 +28,7 @@ jobs: uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 # yamllint disable-line line-length env: GITHUB_TOKEN: ${{ github.token }} - VALIDATE_GITHUB_ACTIONS: false + VALIDATE_GITHUB_ACTIONS_ZIZMOR: false VALIDATE_BIOME_FORMAT: false VALIDATE_JSCPD: false VALIDATE_JSON_PRETTIER: false From 4c1671d1b766222fbcdcd3089a2619be29975dab Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:27:29 +0200 Subject: [PATCH 07/15] Fix Zizmor security violations: pass secrets through env blocks instead of directly in with blocks - Move TEST_USER_PAT, TEST_USER_USER_FG_PAT, TEST_USER_ORG_FG_PAT to env blocks - Move TEST_APP_ENT_CLIENT_ID and PrivateKey to env block - Move TEST_APP_ORG_CLIENT_ID and PrivateKey to env block - Follow GitHub Actions security best practice: secrets should be passed through environment variables to prevent unintended logging or exposure - Resolves all 8 Zizmor secrets-outside-env warnings - Remove unnecessary VALIDATE_GITHUB_ACTIONS_ZIZMOR=false setting from Linter.yml --- .github/workflows/Linter.yml | 1 - .github/workflows/TestWorkflow.yml | 30 ++++++++++++++++++++++-------- 2 files changed, 22 insertions(+), 9 deletions(-) diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml index ac119d2..5b76cfd 100644 --- a/.github/workflows/Linter.yml +++ b/.github/workflows/Linter.yml @@ -28,7 +28,6 @@ jobs: uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 # yamllint disable-line line-length env: GITHUB_TOKEN: ${{ github.token }} - VALIDATE_GITHUB_ACTIONS_ZIZMOR: false VALIDATE_BIOME_FORMAT: false VALIDATE_JSCPD: false VALIDATE_JSON_PRETTIER: false diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 734596a..2034e28 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -426,8 +426,10 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ + env: + TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} with: - Token: ${{ secrets.TEST_USER_PAT }} + Token: ${{ env.TOKEN_SECRET }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -454,8 +456,10 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ + env: + TOKEN_SECRET: ${{ secrets.TEST_USER_USER_FG_PAT }} with: - Token: ${{ secrets.TEST_USER_USER_FG_PAT }} + Token: ${{ env.TOKEN_SECRET }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -482,8 +486,10 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ + env: + TOKEN_SECRET: ${{ secrets.TEST_USER_ORG_FG_PAT }} with: - Token: ${{ secrets.TEST_USER_ORG_FG_PAT }} + Token: ${{ env.TOKEN_SECRET }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -510,9 +516,12 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ + env: + CLIENTID_SECRET: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} + PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} with: - ClientID: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} - PrivateKey: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} + ClientID: ${{ env.CLIENTID_SECRET }} + PrivateKey: ${{ env.PRIVATEKEY_SECRET }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -547,9 +556,12 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ + env: + CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} + PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ORG_PRIVATE_KEY }} with: - ClientID: '${{ secrets.TEST_APP_ORG_CLIENT_ID }}' # Test with quotes on input - PrivateKey: '${{ secrets.TEST_APP_ORG_PRIVATE_KEY }}' # Test with quotes on input + ClientID: '${{ env.CLIENTID_SECRET }}' # Test with quotes on input + PrivateKey: '${{ env.PRIVATEKEY_SECRET }}' # Test with quotes on input Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -686,8 +698,10 @@ jobs: persist-credentials: false - name: Action-Test with PreserveCredentials false uses: ./ + env: + TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} with: - Token: ${{ secrets.TEST_USER_PAT }} + Token: ${{ env.TOKEN_SECRET }} PreserveCredentials: false Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true From 9e8d4cded1751129a7fe6e00b3997889eba07fa6 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:31:08 +0200 Subject: [PATCH 08/15] Fix remaining 2 Zizmor security violations in KeyVault test jobs --- .github/workflows/TestWorkflow.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 2034e28..36966d6 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -606,8 +606,10 @@ jobs: - name: Action-Test uses: ./ + env: + CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} with: - ClientID: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} + ClientID: ${{ env.CLIENTID_SECRET }} KeyVaultKeyReference: 'https://psmodule-test-vault.vault.azure.net/keys/psmodule-org-app/569ae34250e64adca6a2b2d159d454a5' Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true @@ -657,8 +659,10 @@ jobs: - name: Action-Test uses: ./ + env: + CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} with: - ClientID: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} + ClientID: ${{ env.CLIENTID_SECRET }} KeyVaultKeyReference: 'https://psmodule-test-vault.vault.azure.net/keys/psmodule-org-app/' Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true From 74aab2dfb1802fc56de2a02cbcfec750791e2918 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 16:54:48 +0200 Subject: [PATCH 09/15] Suppress Zizmor warnings for intentional use of org-level test secrets in TestWorkflow.yml --- .github/workflows/TestWorkflow.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 36966d6..5cc746a 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -427,7 +427,7 @@ jobs: - name: Action-Test uses: ./ env: - TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} + TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: Token: ${{ env.TOKEN_SECRET }} Prerelease: ${{ inputs.Prerelease }} @@ -457,7 +457,7 @@ jobs: - name: Action-Test uses: ./ env: - TOKEN_SECRET: ${{ secrets.TEST_USER_USER_FG_PAT }} + TOKEN_SECRET: ${{ secrets.TEST_USER_USER_FG_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: Token: ${{ env.TOKEN_SECRET }} Prerelease: ${{ inputs.Prerelease }} @@ -487,7 +487,7 @@ jobs: - name: Action-Test uses: ./ env: - TOKEN_SECRET: ${{ secrets.TEST_USER_ORG_FG_PAT }} + TOKEN_SECRET: ${{ secrets.TEST_USER_ORG_FG_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: Token: ${{ env.TOKEN_SECRET }} Prerelease: ${{ inputs.Prerelease }} @@ -517,8 +517,8 @@ jobs: - name: Action-Test uses: ./ env: - CLIENTID_SECRET: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} - PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} + CLIENTID_SECRET: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional + PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: ClientID: ${{ env.CLIENTID_SECRET }} PrivateKey: ${{ env.PRIVATEKEY_SECRET }} @@ -557,8 +557,8 @@ jobs: - name: Action-Test uses: ./ env: - CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} - PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ORG_PRIVATE_KEY }} + CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional + PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ORG_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: ClientID: '${{ env.CLIENTID_SECRET }}' # Test with quotes on input PrivateKey: '${{ env.PRIVATEKEY_SECRET }}' # Test with quotes on input @@ -703,7 +703,7 @@ jobs: - name: Action-Test with PreserveCredentials false uses: ./ env: - TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} + TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: Token: ${{ env.TOKEN_SECRET }} PreserveCredentials: false From 2f9c216e5ec2a0065609b99c555bc131141c5d2d Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 17:04:39 +0200 Subject: [PATCH 10/15] Refactor Action-Test jobs to use secrets directly instead of environment variables for improved security --- .github/workflows/TestWorkflow.yml | 38 ++++++++---------------------- 1 file changed, 10 insertions(+), 28 deletions(-) diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 5cc746a..734596a 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -426,10 +426,8 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ - env: - TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: - Token: ${{ env.TOKEN_SECRET }} + Token: ${{ secrets.TEST_USER_PAT }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -456,10 +454,8 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ - env: - TOKEN_SECRET: ${{ secrets.TEST_USER_USER_FG_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: - Token: ${{ env.TOKEN_SECRET }} + Token: ${{ secrets.TEST_USER_USER_FG_PAT }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -486,10 +482,8 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ - env: - TOKEN_SECRET: ${{ secrets.TEST_USER_ORG_FG_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: - Token: ${{ env.TOKEN_SECRET }} + Token: ${{ secrets.TEST_USER_ORG_FG_PAT }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -516,12 +510,9 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ - env: - CLIENTID_SECRET: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional - PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: - ClientID: ${{ env.CLIENTID_SECRET }} - PrivateKey: ${{ env.PRIVATEKEY_SECRET }} + ClientID: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} + PrivateKey: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -556,12 +547,9 @@ jobs: persist-credentials: false - name: Action-Test uses: ./ - env: - CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional - PRIVATEKEY_SECRET: ${{ secrets.TEST_APP_ORG_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: - ClientID: '${{ env.CLIENTID_SECRET }}' # Test with quotes on input - PrivateKey: '${{ env.PRIVATEKEY_SECRET }}' # Test with quotes on input + ClientID: '${{ secrets.TEST_APP_ORG_CLIENT_ID }}' # Test with quotes on input + PrivateKey: '${{ secrets.TEST_APP_ORG_PRIVATE_KEY }}' # Test with quotes on input Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -606,10 +594,8 @@ jobs: - name: Action-Test uses: ./ - env: - CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} with: - ClientID: ${{ env.CLIENTID_SECRET }} + ClientID: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} KeyVaultKeyReference: 'https://psmodule-test-vault.vault.azure.net/keys/psmodule-org-app/569ae34250e64adca6a2b2d159d454a5' Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true @@ -659,10 +645,8 @@ jobs: - name: Action-Test uses: ./ - env: - CLIENTID_SECRET: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} with: - ClientID: ${{ env.CLIENTID_SECRET }} + ClientID: ${{ secrets.TEST_APP_ORG_CLIENT_ID }} KeyVaultKeyReference: 'https://psmodule-test-vault.vault.azure.net/keys/psmodule-org-app/' Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true @@ -702,10 +686,8 @@ jobs: persist-credentials: false - name: Action-Test with PreserveCredentials false uses: ./ - env: - TOKEN_SECRET: ${{ secrets.TEST_USER_PAT }} # zizmor: ignore[secrets-outside-env] org-level test secret is intentional with: - Token: ${{ env.TOKEN_SECRET }} + Token: ${{ secrets.TEST_USER_PAT }} PreserveCredentials: false Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true From f4dfa7616435a6056d457740d102006804b3467e Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 17:06:23 +0200 Subject: [PATCH 11/15] Update super-linter version in Linter workflow to v8.6.0 --- .github/workflows/Linter.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml index 5b76cfd..e981cc1 100644 --- a/.github/workflows/Linter.yml +++ b/.github/workflows/Linter.yml @@ -25,7 +25,7 @@ jobs: fetch-depth: 0 - name: Lint code base - uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 # yamllint disable-line line-length + uses: super-linter/super-linter@9e863354e3ff62e0727d37183162c4a88873df41 # v8.6.0 env: GITHUB_TOKEN: ${{ github.token }} VALIDATE_BIOME_FORMAT: false From 344bb6772b6f0d3361fa5fe56adc935fbf7b8704 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 17:16:04 +0200 Subject: [PATCH 12/15] Add Zizmor configuration to manage organization-level secrets for test workflows --- zizmor.yml | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 zizmor.yml diff --git a/zizmor.yml b/zizmor.yml new file mode 100644 index 0000000..e0aeaa2 --- /dev/null +++ b/zizmor.yml @@ -0,0 +1,14 @@ +rules: + secrets-outside-env: + config: + # These test credentials are intentionally managed as organization-level secrets. + # The reusable test workflow runs across repositories and does not use per-job + # environments for these auth scenarios, so we suppress only this known set. + allow: + - TEST_USER_PAT + - TEST_USER_USER_FG_PAT + - TEST_USER_ORG_FG_PAT + - TEST_APP_ENT_CLIENT_ID + - TEST_APP_ENT_PRIVATE_KEY + - TEST_APP_ORG_CLIENT_ID + - TEST_APP_ORG_PRIVATE_KEY From f7b0bdd4a3f937e81a99f94ef522394c778d9073 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 17:21:24 +0200 Subject: [PATCH 13/15] Update Zizmor configuration to use explicit ignores for test-only secrets --- zizmor.yml | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/zizmor.yml b/zizmor.yml index e0aeaa2..24d9498 100644 --- a/zizmor.yml +++ b/zizmor.yml @@ -1,14 +1,14 @@ rules: secrets-outside-env: - config: - # These test credentials are intentionally managed as organization-level secrets. - # The reusable test workflow runs across repositories and does not use per-job - # environments for these auth scenarios, so we suppress only this known set. - allow: - - TEST_USER_PAT - - TEST_USER_USER_FG_PAT - - TEST_USER_ORG_FG_PAT - - TEST_APP_ENT_CLIENT_ID - - TEST_APP_ENT_PRIVATE_KEY - - TEST_APP_ORG_CLIENT_ID - - TEST_APP_ORG_PRIVATE_KEY + # super-linter currently runs zizmor v1.23.1 in this repository. + # v1.23.1 does not support secrets-outside-env.config.allow (added in v1.24.0), + # so we use explicit file/line ignores for known test-only secrets. + ignore: + - .github/workflows/TestWorkflow.yml:430 + - .github/workflows/TestWorkflow.yml:458 + - .github/workflows/TestWorkflow.yml:486 + - .github/workflows/TestWorkflow.yml:514 + - .github/workflows/TestWorkflow.yml:515 + - .github/workflows/TestWorkflow.yml:551 + - .github/workflows/TestWorkflow.yml:552 + - .github/workflows/TestWorkflow.yml:690 From 103267dc4c572150110c81db80dc57d1be044f3a Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 17:39:06 +0200 Subject: [PATCH 14/15] Refactor Zizmor configuration to use organization-level secrets and remove deprecated file --- .github/linters/zizmor.yaml | 13 +++++++++++++ .github/workflows/Linter.yml | 2 +- zizmor.yml | 14 -------------- 3 files changed, 14 insertions(+), 15 deletions(-) delete mode 100644 zizmor.yml diff --git a/.github/linters/zizmor.yaml b/.github/linters/zizmor.yaml index d0b6c21..b94816f 100644 --- a/.github/linters/zizmor.yaml +++ b/.github/linters/zizmor.yaml @@ -2,3 +2,16 @@ rules: template-injection: ignore: - action.yml + + secrets-outside-env: + # These test credentials are intentionally managed as organization-level + # secrets for reusable test workflows across repositories. + config: + allow: + - TEST_USER_PAT + - TEST_USER_USER_FG_PAT + - TEST_USER_ORG_FG_PAT + - TEST_APP_ENT_CLIENT_ID + - TEST_APP_ENT_PRIVATE_KEY + - TEST_APP_ORG_CLIENT_ID + - TEST_APP_ORG_PRIVATE_KEY diff --git a/.github/workflows/Linter.yml b/.github/workflows/Linter.yml index e981cc1..ba5a60b 100644 --- a/.github/workflows/Linter.yml +++ b/.github/workflows/Linter.yml @@ -1,6 +1,6 @@ name: Linter -run-name: "Linter - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}" +run-name: 'Linter - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}' on: [pull_request] diff --git a/zizmor.yml b/zizmor.yml deleted file mode 100644 index 24d9498..0000000 --- a/zizmor.yml +++ /dev/null @@ -1,14 +0,0 @@ -rules: - secrets-outside-env: - # super-linter currently runs zizmor v1.23.1 in this repository. - # v1.23.1 does not support secrets-outside-env.config.allow (added in v1.24.0), - # so we use explicit file/line ignores for known test-only secrets. - ignore: - - .github/workflows/TestWorkflow.yml:430 - - .github/workflows/TestWorkflow.yml:458 - - .github/workflows/TestWorkflow.yml:486 - - .github/workflows/TestWorkflow.yml:514 - - .github/workflows/TestWorkflow.yml:515 - - .github/workflows/TestWorkflow.yml:551 - - .github/workflows/TestWorkflow.yml:552 - - .github/workflows/TestWorkflow.yml:690 From ff99137f55b47981aa12d1262795061b8a6dce88 Mon Sep 17 00:00:00 2001 From: Marius Storhaug Date: Sat, 16 May 2026 18:10:06 +0200 Subject: [PATCH 15/15] Add comments to ignore org-level test secrets in Action-Test jobs --- .github/workflows/TestWorkflow.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/TestWorkflow.yml b/.github/workflows/TestWorkflow.yml index 734596a..aee9d9a 100644 --- a/.github/workflows/TestWorkflow.yml +++ b/.github/workflows/TestWorkflow.yml @@ -427,7 +427,7 @@ jobs: - name: Action-Test uses: ./ with: - Token: ${{ secrets.TEST_USER_PAT }} + Token: ${{ secrets.TEST_USER_PAT }} # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -455,7 +455,7 @@ jobs: - name: Action-Test uses: ./ with: - Token: ${{ secrets.TEST_USER_USER_FG_PAT }} + Token: ${{ secrets.TEST_USER_USER_FG_PAT }} # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -483,7 +483,7 @@ jobs: - name: Action-Test uses: ./ with: - Token: ${{ secrets.TEST_USER_ORG_FG_PAT }} + Token: ${{ secrets.TEST_USER_ORG_FG_PAT }} # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -511,8 +511,8 @@ jobs: - name: Action-Test uses: ./ with: - ClientID: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} - PrivateKey: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} + ClientID: ${{ secrets.TEST_APP_ENT_CLIENT_ID }} # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally + PrivateKey: ${{ secrets.TEST_APP_ENT_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -548,8 +548,8 @@ jobs: - name: Action-Test uses: ./ with: - ClientID: '${{ secrets.TEST_APP_ORG_CLIENT_ID }}' # Test with quotes on input - PrivateKey: '${{ secrets.TEST_APP_ORG_PRIVATE_KEY }}' # Test with quotes on input + ClientID: '${{ secrets.TEST_APP_ORG_CLIENT_ID }}' # Test with quotes on input # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally + PrivateKey: '${{ secrets.TEST_APP_ORG_PRIVATE_KEY }}' # Test with quotes on input # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true Script: | @@ -687,7 +687,7 @@ jobs: - name: Action-Test with PreserveCredentials false uses: ./ with: - Token: ${{ secrets.TEST_USER_PAT }} + Token: ${{ secrets.TEST_USER_PAT }} # zizmor: ignore[secrets-outside-env] test workflow uses org-level test secret intentionally PreserveCredentials: false Prerelease: ${{ inputs.Prerelease }} ShowRateLimit: true