👩💻 Join our community of thousands of amazing developers!
Zizmor is a new tool to check your GitHub action workflows for security concerns. I found it really helpful to lock down actions.Action workflows can be esoteric, and continuous integration is not everyone’s top concern, so it’s easy for them to have subtle flaws. A tool like zizmor is great for drawing attention to them.When I ran it, I had a few issues to fix: Some data available to actions is manipulable by unknown people, so you have to avoid interpolating it directly into shell commands. ...