# Configuration for zizmor (static analysis for GitHub Actions).
# https://docs.zizmor.sh/configuration/
#
# Findings ignored here are *deliberate* design choices, not "TODOs we never
# got to". Anything new or unexpected should land as a finding in the Security
# tab and be triaged before merge. Add an entry here only with a comment
# explaining why the finding is acceptable.

rules:
  # `pull_request_target` and `workflow_run` are inherently dangerous, but we
  # use them in workflows that have been written defensively: they either
  # don't run untrusted code from the PR head, or they isolate untrusted state
  # into clearly-marked steps. Each entry below has a one-line justification.
  dangerous-triggers:
    ignore:
      # CLA assistant must comment on PRs from forks; runs a pinned third-party
      # action and does not execute any code from the PR.
      - cla.yml
      # auto-format-apply uses workflow_run to commit the formatted patch
      # computed by the untrusted `auto-format` workflow. The trusted job only
      # consumes the inert patch artifact, verifies the PR head SHA matches the
      # workflow_run head SHA, applies the diff, and pushes back via an app
      # token. It never checks out or executes PR-controlled code.
      - auto-format-apply.yml
      # Lunaria only reads localized content and posts a status comment; does
      # not execute PR-controlled code.
      - lunaria.yml
      # pr-compliance and pr-triage only inspect PR metadata (title, labels,
      # author) via github-script. They never check out PR code.
      - pr-compliance.yml
      - pr-triage.yml
      # review-state only reads PR and review metadata via github-script to set review/* labels; it never checks out or runs PR code.
      - review-state.yml
      # query-counts-apply uses workflow_run to apply snapshot updates that
      # were computed in the untrusted `query-counts` workflow. The trusted
      # workflow only consumes the artifact JSON, verifies the head SHA, and
      # pushes back via an app token. See workflow comments for the full
      # threat model.
      - query-counts-apply.yml
      # query-counts-label labels PRs based on path filters; it does not
      # check out PR code.
      - query-counts-label.yml

  # The CLA assistant action (contributor-assistant/github-action) requires
  # write access to actions, contents (cla-signatures branch), issues, PRs,
  # and statuses. The workflow has only one job that uses these permissions,
  # so workflow-level vs job-level scoping makes no real difference. A future
  # PR may split the `label` job to a separate file with narrower permissions.
  excessive-permissions:
    ignore:
      - cla.yml

  # pkg.pr.new is a preview-release service, not npm registry publishing. It
  # authenticates via its own GitHub OIDC flow (no long-lived token), so npm
  # trusted publishing does not apply. The real npm publish (release.yml) uses
  # OIDC provenance via the job's id-token: write.
  use-trusted-publishing:
    ignore:
      - preview-releases.yml

  # investigate.yml is the bot's reproduction runner. It installs the
  # maintainer-owned bgproc / agent-browser CLIs globally at runtime so the
  # agent doesn't self-install them mid-run. This is not a production build,
  # and pinning these dev tools by version would add churn without a real
  # supply-chain gain here.
  adhoc-packages:
    ignore:
      - investigate.yml

  # contributor-assistant/github-action is archived upstream but pinned by
  # SHA, and has no maintained drop-in replacement. The CLA flow is critical;
  # replacing the action is a separate, deliberate migration.
  archived-uses:
    ignore:
      - cla.yml
