From d7dc3877c240f39e3195f9bfc3dd3f2021c6c64b Mon Sep 17 00:00:00 2001 From: Jarek Potiuk Date: Sun, 24 May 2026 17:53:55 +0200 Subject: [PATCH] allowlist: silence zizmor unpinned-tools on if:false 1Password load-secrets-action MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit zizmor v1.25.2 (shipped by zizmor-action v0.5.6) added the unpinned-tools audit, which flags `1Password/load-secrets-action` at line 40 of `.github/actions/for-dependabot-triggered-reviews/action.yml` because that action installs the 1Password CLI from an unpinned URL when it runs. In this file the step is `if: false` — it never executes; the entry exists only so dependabot tracks the SHA for inclusion in the approved allowlist. zizmor's `unpinned-tools` audit doesn't currently understand `if: false` and produces a false positive. Suppress with an inline `# zizmor: ignore[unpinned-tools]` comment plus an explanatory tail, matching the pattern already used for `secrets-outside-env` and `dependabot-cooldown` ignores in this repo. This unblocks #885 (zizmor-action v0.5.5 → v0.5.6). Generated-by: Claude Code (Claude Opus 4.7) --- .github/actions/for-dependabot-triggered-reviews/action.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/actions/for-dependabot-triggered-reviews/action.yml b/.github/actions/for-dependabot-triggered-reviews/action.yml index 074a4e27..cd473e2a 100644 --- a/.github/actions/for-dependabot-triggered-reviews/action.yml +++ b/.github/actions/for-dependabot-triggered-reviews/action.yml @@ -38,7 +38,7 @@ runs: using: "composite" steps: - uses: 1Password/load-secrets-action@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0 - if: false + if: false # zizmor: ignore[unpinned-tools] step never runs; allowlist registration only - uses: 1Password/load-secrets-action/configure@92467eb28f72e8255933372f1e0707c567ce2259 # v4.0.0 if: false - uses: addnab/docker-run-action@4f65fabd2431ebc8d299f8e5a018d79a769ae185 # v3