[4.2.x] Added GitHub Actions linter (zizmor).

At the direction of the Security Team. Thanks Markus Holtermann, Jake Howard, and Natalia Bidart for reviews. Backport of 09d4bf5cd9 from main.
2026-02-09 02:49:25 +08:00 · 2025-11-14 13:30:30 -05:00
parent 9d6aa2d0ae
commit 0f4d5303a2
5 changed files with 28 additions and 3 deletions
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -60,3 +60,14 @@ jobs:
        uses: actions/checkout@v4
      - name: black
        uses: psf/black@23.12.1
+
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v5
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        with:
+          advanced-security: false
+          annotations: true
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -22,3 +22,7 @@ repos:
    rev: v8.36.0
    hooks:
      - id: eslint
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.16.3 
+    hooks:
+    - id: zizmor
--- a/docs/internals/contributing/writing-code/submitting-patches.txt
+++ b/docs/internals/contributing/writing-code/submitting-patches.txt
@@ -320,8 +320,8 @@ All code changes

 * Does the :doc:`coding style
  </internals/contributing/writing-code/coding-style>` conform to our
-  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``, or
-  ``isort`` errors? You can install the :ref:`pre-commit
+  guidelines? Are there any  ``black``, ``blacken-docs``, ``flake8``,
+  ``isort``, or ``zizmor`` errors? You can install the :ref:`pre-commit
  <coding-style-pre-commit>` hooks to automatically catch these errors.
 * If the change is backwards incompatible in any way, is there a note
  in the release notes (``docs/releases/A.B.txt``)?
--- a/docs/internals/contributing/writing-code/unit-tests.txt
+++ b/docs/internals/contributing/writing-code/unit-tests.txt
@@ -69,7 +69,7 @@ command from any place in the Django source tree:
    $ tox

 By default, ``tox`` runs the test suite with the bundled test settings file for
-SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, and the
+SQLite, ``black``, ``blacken-docs``, ``flake8``, ``isort``, ``zizmor``, and the
 documentation spelling checker. In addition to the system dependencies noted
 elsewhere in this documentation, the command ``python3`` must be on your path
 and linked to the appropriate version of Python. A list of default environments
@@ -84,6 +84,7 @@ can be seen as follows:
    flake8>=3.7.0
    docs
    isort>=5.1.0
+    zizmor>=1.16.3

 Testing other Python versions and database backends
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--- a/tox.ini
+++ b/tox.ini
@@ -13,6 +13,7 @@ envlist =
    flake8
    docs
    isort
+    zizmor

 # Add environment to use the default python3 installation
 [testenv:py3]
@@ -86,3 +87,11 @@ allowlist_externals =
 commands =
    npm install
    npm test
+
+[testenv:zizmor]
+basepython = python3
+usedevelop = false
+deps = zizmor >= 1.16.3
+changedir = {toxinidir}
+commands =
+    zizmor .