Auto-enable zizmor GHAS upload for public repos (#298)

dopey · claude · web-flow · commit f6c6c9e52686 · 2026-03-03T10:45:05.000-08:00
* ci: auto-enable zizmor GHAS upload for public repos

Move advanced-security auto-detection into zizmor.yml so any
caller benefits. Changes the input type from boolean to string
(default "") to distinguish "not set" from "false". When unset,
enables GHAS upload for public repos via
github.repository_visibility; explicit "true"/"false" overrides
still work via boolean coercion.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;

* ci: replace direct workflow calls with actionci in ci.yml

Replace the three separate actionlint, zizmor, and frizbee jobs with a
single actionci job that delegates to actionci.yml. Add
security-events: write permission so actionci.yml can propagate it to
the zizmor job for SARIF upload on this public repo.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;

---------

Co-authored-by: Claude &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/actionci.yml b/.github/workflows/actionci.yml
@@ -14,10 +14,10 @@ on:
         type: boolean
         default: true
       zizmor-advanced-security:
-        description: Upload zizmor results to GitHub Advanced Security
+        description: Upload zizmor results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override.
         required: false
-        type: boolean
-        default: false
+        type: string
+        default: ""
 
 permissions:
   contents: read
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -19,17 +19,11 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  actionlint:
-    name: Lint GitHub workflows
-    uses: ./.github/workflows/actionlint.yml
-
-  zizmor:
-    name: Scan GitHub workflows
-    uses: ./.github/workflows/zizmor.yml
-
-  frizbee:
-    name: Check action pinning
-    uses: ./.github/workflows/frizbee.yml
+  actionci:
+    uses: ./.github/workflows/actionci.yml
+    permissions:
+      contents: read
+      security-events: write
 
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid
     name: Lint dummy app
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -3,9 +3,9 @@ on:
   workflow_call:
     inputs:
       advanced-security:
-        description: Upload results to GitHub Advanced Security
-        type: boolean
-        default: false
+        description: Upload results to GitHub Advanced Security. Leave unset to auto-enable for public repos, or set to "true"/"false" to override.
+        type: string
+        default: ""
 
 jobs:
   zizmor:
@@ -20,4 +20,4 @@ jobs:
         with:
           min-severity: medium
           min-confidence: medium
-          advanced-security: ${{ inputs.advanced-security }}
+          advanced-security: ${{ (inputs.advanced-security == '' && github.repository_visibility == 'public') || inputs.advanced-security == 'true' }}
