chore: Create zizmor.yml

[ocean]

Summary by CodeRabbit

Release Notes

• New Features

  • Added automated security analysis workflow to the CI/CD pipeline via GitHub Actions

• Chores

  • Implemented backup and configuration tracking infrastructure
  • Established dependency and labelling management system
  • Updated database artifact and runtime file ignore patterns

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Walkthrough

This pull request introduces backup state initialisation, configuration data, and dependency metadata into a .beads/backup/ directory, updates ignore patterns for Dolt database artifacts, and establishes a new GitHub Actions security analysis workflow using zizmor.

Changes

Cohort / File(s)	Summary
Gitignore Updates .beads/.gitignore, .gitignore	Reorganises ignore patterns for Dolt and SQLite artefacts, replacing legacy entries with explicit Dolt directory, lock, and server management files; adds ephemeral store patterns and consolidates backup ignores.
Backup Configuration & Metadata .beads/backup/backup_state.json, .beads/backup/config.jsonl	Initialises backup state with metadata (last_dolt_commit, last_event_id, counts for issues/events/comments/dependencies/labels/config) and 13 configuration entries covering compaction behaviour, UI settings, and custom types registry.
Backup Dependencies & Labels .beads/backup/dependencies.jsonl, .beads/backup/labels.jsonl	Adds 14 JSON Lines records encoding parent-child and blocking dependency relationships, plus 4 label entries mapping issues to status and testing categories.
Security Analysis Workflow .github/workflows/zizmor.yml	Introduces new GitHub Actions workflow for security analysis via zizmor, triggered on pushes to main and pull requests, configured with repository checkout and zizmor-action execution.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• chore: Ignore Beads ephemeral DB #83: Directly related through updates to .beads/.gitignore for ephemeral SQLite database file ignore rules.

Poem

🐰 A backup here, a config there,
Dependencies we must declare,
GitHub actions keep us safe and sound,
With zizmor watching all around! 🌈
The beads are lined up, neat and true,
Code review time—let's see it through!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'chore: Create zizmor.yml' accurately describes the creation of the GitHub Actions security analysis workflow file, but overlooks substantial changes to .gitignore files and backup data files that comprise a significant portion of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch dev

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

.gitignore (1)

49-51: Scope these new database ignores to the repo root.

*.db will also hide any future fixture or example databases anywhere in the tree. If these rules are only for bd init artefacts at the top level, anchor them with / instead.

Suggested diff

 # Dolt database files (added by bd init)
-.dolt/
-*.db
+/.dolt/
+/*.db

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.gitignore around lines 49 - 51, Anchor the new ignore patterns to the
repository root by replacing the unscoped rules ".dolt/" and "*.db" with
root-anchored patterns (e.g., "/.dolt/" and "/.db") so only top-level bd init
artefacts are ignored; update the .gitignore entry that currently contains
".dolt/" and "*.db" to use leading slashes to avoid hiding fixture/example
databases in subdirectories.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.beads/.gitignore:
- Around line 37-38: The .beads/.gitignore entry "backup/" conflicts with
tracked files added in this PR; remove the churn by either untracking the backup
files or moving canonical data out of the ignored path: run git rm --cached on
the tracked .beads/backup/*.jsonl and .beads/backup/backup_state.json (or
otherwise remove them from the index) so the ignore takes effect, or relocate
the canonical seed files to a non-ignored directory and update any references;
ensure the .beads/.gitignore continues to contain "backup/" if you intend to
keep runtime exports untracked.

In @.github/workflows/zizmor.yml:
- Around line 9-20: The workflow-level permissions block is empty so
GITHUB_TOKEN lacks repo access; add a contents: read permission so the
actions/checkout step can access the repository. Update the permissions object
(either the top-level permissions or the zizmor job permissions) to include
"contents: read" alongside existing "security-events: write" so the Checkout
repository step (uses: actions/checkout@...) succeeds while keeping
persist-credentials: false.

---

Nitpick comments:
In @.gitignore:
- Around line 49-51: Anchor the new ignore patterns to the repository root by
replacing the unscoped rules ".dolt/" and "*.db" with root-anchored patterns
(e.g., "/.dolt/" and "/.db") so only top-level bd init artefacts are ignored;
update the .gitignore entry that currently contains ".dolt/" and "*.db" to use
leading slashes to avoid hiding fixture/example databases in subdirectories.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5069768-d25f-4511-99bf-bddd0823fb6d

📥 Commits

Reviewing files that changed from the base of the PR and between bbedff2 and 8de2fb0.

📒 Files selected for processing (10)

• .beads/.gitignore
• .beads/backup/backup_state.json
• .beads/backup/comments.jsonl
• .beads/backup/config.jsonl
• .beads/backup/dependencies.jsonl
• .beads/backup/events.jsonl
• .beads/backup/issues.jsonl
• .beads/backup/labels.jsonl
• .github/workflows/zizmor.yml
• .gitignore

[coderabbitai]

⚠️ Potential issue | 🟠 Major

backup/ being ignored conflicts with the tracked files added in this PR.

Git ignore rules do not apply to files already in the index, so the new .beads/backup/*.jsonl and backup_state.json files will still churn on every local export. Either untrack this directory or move any canonical seed data to a non-backup path before merging.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.beads/.gitignore around lines 37 - 38, The .beads/.gitignore entry
"backup/" conflicts with tracked files added in this PR; remove the churn by
either untracking the backup files or moving canonical data out of the ignored
path: run git rm --cached on the tracked .beads/backup/*.jsonl and
.beads/backup/backup_state.json (or otherwise remove them from the index) so the
ignore takes effect, or relocate the canonical seed files to a non-ignored
directory and update any references; ensure the .beads/.gitignore continues to
contain "backup/" if you intend to keep runtime exports untracked.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For actions/checkout, what GITHUB_TOKENpermissions are required when a workflow setspermissions: {} globally and the job checks out the current repository?

💡 Result:

When you set permissions: {} at the workflow level, all GITHUB_TOKEN permissions become none unless explicitly granted [2]. To let actions/checkout check out the current repository, the job needs:

permissions:
  contents: read

This is the recommended (and effectively required) minimum for actions/checkout when using GITHUB_TOKEN authentication [1].

Sources: [1] [2]

---

Add contents: read permission for actions/checkout.

With permissions: {} set at the workflow level, the GITHUB_TOKEN receives no permissions unless explicitly granted. The job currently grants only security-events: write, but actions/checkout requires contents: read to access the repository. Without this permission, the workflow will fail at the checkout step before the zizmor scan executes.

Suggested fix

 jobs:
   zizmor:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/zizmor.yml around lines 9 - 20, The workflow-level
permissions block is empty so GITHUB_TOKEN lacks repo access; add a contents:
read permission so the actions/checkout step can access the repository. Update
the permissions object (either the top-level permissions or the zizmor job
permissions) to include "contents: read" alongside existing "security-events:
write" so the Checkout repository step (uses: actions/checkout@...) succeeds
while keeping persist-credentials: false.