Configure zizmor to check the action.yml/workflow files and address any issues by glaubinix · Pull Request #30 · packagist/conductor-github-action

glaubinix · 2026-04-21T13:06:54Z

This mainly fixes various potential code injection via template expansion in places where ${{ github.event.client_payload... }}" is used.

You can validate the changes by adjusting the Conductor action in your GH workflow file.

            - name: "Running Conductor"
              uses: packagist/conductor-github-action@zizmor-fixes

pscheit

oki just a few style nitpicks :) looks good though

IgorBenko

Nice, thanks 👍 Just a small typo

Co-authored-by: Igor Benko <igor.benko@gmail.com>

glaubinix added 8 commits April 21, 2026 08:42

Apply automatic zizmor fixes

ad6c942

Validate webhook URLs and Composer commands from the incoming payload

31a1a65

Fix potential code injection via template expansion with payload.branch

b15d7dc

Fix stray semicolon

efd8d73

GitHub Actions: configure zizmor to run on every PR/main

91295e1

Fix action.yml input description

4523e1c

Fix check file names

f6690b6

Attempts at fixinig COMPOSER_AUTH

6ac2914

glaubinix self-assigned this Apr 21, 2026

glaubinix requested a review from a team April 21, 2026 13:07

IgorBenko self-requested a review April 21, 2026 13:09

pscheit reviewed Apr 21, 2026

View reviewed changes

Comment thread action.yml Outdated

Document masking + CONDUCTOR_ACTION_VERSION steps

281d4ef

pscheit requested changes Apr 21, 2026

View reviewed changes

Comment thread action.yml Outdated

Comment thread action.yml Outdated

glaubinix added 2 commits April 21, 2026 15:06

Fix env variable names by dropping the GITHUB_EVENT_CLIENT_PAYLOAD_

a71d345

Sort GitHub action step properties to be consistent accross the action

b86d17b

glaubinix requested a review from pscheit April 21, 2026 14:16

pscheit approved these changes Apr 21, 2026

View reviewed changes

IgorBenko approved these changes Apr 21, 2026

View reviewed changes

Comment thread action.yml Outdated

Update action.yml

4406dc1

Co-authored-by: Igor Benko <igor.benko@gmail.com>

glaubinix merged commit 744286c into main Apr 21, 2026
1 check passed

glaubinix deleted the zizmor-fixes branch April 21, 2026 14:22

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Configure zizmor to check the action.yml/workflow files and address any issues#30

Configure zizmor to check the action.yml/workflow files and address any issues#30
glaubinix merged 12 commits intomainfrom
zizmor-fixes

glaubinix commented Apr 21, 2026

Uh oh!

Uh oh!

pscheit left a comment

Uh oh!

Uh oh!

Uh oh!

IgorBenko left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

glaubinix commented Apr 21, 2026

Uh oh!

Uh oh!

pscheit left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

IgorBenko left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants