Configuring Zizmor

workflow:audit uses zizmor to audit GitHub Actions and workflows. Zizmor reads its project configuration from a file named .zizmor.yml in the repository root.

As a starting point, copy the template shipped with the PTB:

rules:
  unpinned-uses:
    # Official GitHub actions & ones maintained by us may use a referential pin.
    # Third party GitHub actions must be defined with an SHA hash.
    config:
      policies:
        "actions/*": ref-pin
        exasol/python-toolbox/.github/actions/python-environment: ref-pin
        "*": hash-pin

For troubleshooting help, see Handling Zizmor Findings.