use zizmor

anthony-nhs · anthony-nhs · commit 4e343ca0817f · 2026-03-28T10:58:47.000Z
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -6,7 +6,7 @@
     "args": {
       "DOCKER_GID": "${env:DOCKER_GID:}",
       "IMAGE_NAME": "node_24_python_3_14",
-      "IMAGE_VERSION": "v1.2.0",
+      "IMAGE_VERSION": "pr-68-7f136dd",
       "USER_UID": "${localEnv:USER_ID:}",
       "USER_GID": "${localEnv:GROUP_ID:}"
     },
diff --git a/.github/workflows/combine-dependabot-prs.yml b/.github/workflows/combine-dependabot-prs.yml
diff --git a/.github/workflows/dependabot-auto-approve-and-merge.yml b/.github/workflows/dependabot-auto-approve-and-merge.yml
@@ -15,7 +15,7 @@ permissions:
 jobs:
     dependabot:
         runs-on: ubuntu-22.04
-        if: ${{ github.actor == 'dependabot[bot]' }}
+        if: (github.event.pull_request.user.login == 'dependabot[bot]' || github.event.pull_request.user.login == 'eps-create-pull-request[bot]') && github.repository == github.event.pull_request.head.repo.full_name
         steps:
             - name: Get token from Github App
               id: get_app_token
diff --git a/.github/workflows/get-repo-config.yml b/.github/workflows/get-repo-config.yml
@@ -53,6 +53,7 @@ jobs:
               with:
                   ref: ${{ env.BRANCH_NAME }}
                   fetch-depth: 0
+                  persist-credentials: false
 
             - name: Load config value
               id: load-config
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -43,4 +43,3 @@ jobs:
       pinned_image: ${{ needs.get_config_values.outputs.pinned_image }}
       branch_name: ${{ github.event.pull_request.head.ref }}
       tag_format: ${{ needs.get_config_values.outputs.tag_format }}
-    secrets: inherit
diff --git a/combine-prs.js b/combine-prs.js
diff --git a/zizmor.yml b/zizmor.yml
@@ -0,0 +1,26 @@
+rules:
+  dependabot-cooldown:
+    config:
+      days: 3
+  secrets-outside-env:
+    ignore:
+      # this workflow uses secrets outside of an environment
+      - tag-release-devcontainer.yml:108:39
+      - tag-release-devcontainer.yml:228:34
+      - tag-release-devcontainer.yml:234:35
+      - tag-release-devcontainer.yml:240:34
+      - tag-release-devcontainer.yml:248:35
+      - update-dev-container-version.yml:135:24
+      - update-dev-container-version.yml:136:29
+      - quality-checks-devcontainer.yml:210:28
+      - quality-checks-devcontainer.yml:203:28
+      - quality-checks-devcontainer.yml:190:29
+      - dependabot-auto-approve-and-merge.yml:24:31
+      - dependabot-auto-approve-and-merge.yml:25:36
+  unpinned-images:
+    ignore:
+      - quality-checks-devcontainer.yml:32:7
+      - quality-checks-devcontainer.yml:215:7
+      - quality-checks-devcontainer.yml:285:7
+      - quality-checks-devcontainer.yml:328:7
+      - tag-release-devcontainer.yml:89:13
