Skip to content

ci: add Zizmor workflow#172

Open
tonyandrewmeyer wants to merge 12 commits intocanonical:mainfrom
tonyandrewmeyer:ci-add-zizmor
Open

ci: add Zizmor workflow#172
tonyandrewmeyer wants to merge 12 commits intocanonical:mainfrom
tonyandrewmeyer:ci-add-zizmor

Conversation

@tonyandrewmeyer
Copy link
Contributor

@tonyandrewmeyer tonyandrewmeyer commented Mar 21, 2026
edited
Loading

This PR adds static workflow analysis using Zizmor. The standard Charm Tech configuration is used.

In addition, some minor findings are addressed:

  • Default to empty permissions
  • Pin actions
  • Don't persist Git credentials

Two drive-by fixes to get CI to pass:

  • Skip a test that needs an expired key. This is in apt, which has been migrated to charmlibs, so it seems harmless to skip.
  • Modernise the integration tests for juju-systemd-notices. This avoids fixing issues in linked workflow actions.

@tonyandrewmeyer tonyandrewmeyer requested a review from dimaqq March 21, 2026 01:03
@github-advanced-security
Copy link

github-advanced-security bot commented Mar 21, 2026

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@tonyandrewmeyer
Work around failing tests.
06eb883
@tonyandrewmeyer
More test fixing.
f4250ad
@tonyandrewmeyer
More trying to fix a test.
2017a32
@tonyandrewmeyer
Use v4 for sarif upload.
f1d0cd3
@tonyandrewmeyer
Work around the actions-operator issues by just using concierge.
f5af21f
@tonyandrewmeyer
Work around the flaky tests by modernising them.
c5f8b52 
Claude did the initial Jubilant migration pass and I took over from there.
@tonyandrewmeyer
More modern charmcraft.yaml
ea8605e
@tonyandrewmeyer
Avoid -p with charmcraft
ed5db12
@tonyandrewmeyer
Add parts section.
d21af33 
Continue with the charm plugin for now. Switching to uv would be nice, but involves adding a pyproject.toml and so on, and this is already large for a drive-by for a library that has an uncertain future.
james-garner-canonical
james-garner-canonical approved these changes Mar 22, 2026
View reviewed changes
Copy link
Contributor

@james-garner-canonical james-garner-canonical left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes look reasonable to me. Nice to get broken tests working. We should probably look at archiving the repo soon, but better to archive it in a cleaner state than otherwise.

@tonyandrewmeyer @james-garner-canonical
Apply suggestion from @james-garner-canonical
40f80a4 
Co-authored-by: James Garner <james.garner@canonical.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@james-garner-canonical james-garner-canonical james-garner-canonical approved these changes

@dimaqq dimaqq Awaiting requested review from dimaqq

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tonyandrewmeyer @james-garner-canonical