Skip to content

[ci] enforce 'zizmor' checks #7191

Open
#7218
Open
[ci] enforce 'zizmor' checks#7191
#7218
Assignees
jameslamb
Labels
maintenance
@jameslamb

Description

@jameslamb
jameslamb
opened on Mar 9, 2026

Description

zizmor is a static analyzer that finds security issues in GitHub Actions configurations.

See https://github.com/zizmorcore/zizmor

It's especially helpful in recommending stricter settings than GitHub's defaults, which might be helpful for preventing things like https://www.stepsecurity.io/blog/hackerbot-claw-github-actions-exploitation

We should use it in LightGBM.

Benefits of this work

  • improves security posture in the repo

Acceptance criteria

  • zizmor is enforced in pre-commit hooks

Approach

See https://github.com/zizmorcore/zizmor-pre-commit for how to add this to pre-commit config.

Address the issues.

Notes

I (@jameslamb) will do this. It involves some interaction with the repo and organization settings that only admins can handle.

Just opening this to track the work.

Metadata

Metadata

Assignees

Labels

maintenance

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions