chore(zizmor): restore pilot self-zizmor from closed #146 (#326)

isaiah-grafana · isaiah-grafana · commit e8b4e2ad5c08 · 2026-04-21T11:53:41.000-04:00
Re-apply reusable workflow pin to isaiah-grafana/shared-workflows@ca9579c and fail-severity critical for ruleset pilot testing (same as pre-close branch).
diff --git a/.github/workflows/self-zizmor.yaml b/.github/workflows/self-zizmor.yaml
@@ -45,10 +45,15 @@ jobs:
       - zizmor-check
     if: ${{ needs.zizmor-check.outputs.found-files == 'true' }}
 
-    uses: grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@5cec40ba1a943db268a9bb33f208c006b161d372
+    # Testing security-appsec#326: reusable with optional .github/zizmor-collection-ignore. Point org rulesets at
+    # branch test/zizmor-vendor-excludes-326 to validate; replace with grafana/shared-workflows@<merge SHA> for main.
+    # Pinned to fork SHA (not a branch ref) to satisfy code scanning unpinned-reusable-workflow rules; bump when testing new commits.
+    uses: isaiah-grafana/shared-workflows/.github/workflows/reusable-zizmor.yml@ca9579cb3a5b072b4f75af091380536c01131610
     with:
       runs-on: ${{ !github.event.repository.private && 'ubuntu-latest' || 'ubuntu-arm64-small' }}
-      fail-severity: high
+      # Pilot branch: only fail on critical so high-severity zizmor findings do not block ruleset/PR testing (#326).
+      # Revert to high when swapping uses: back to grafana/shared-workflows@<merge SHA> on main.
+      fail-severity: critical
       min-severity: high
       min-confidence: low
       extra-args: --offline
