Skip to content

chore: Create zizmor.yml #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ocean wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore: Create zizmor.yml #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
dcec15d
bd: backup 2026-03-04 22:34
ocean Mar 4, 2026
583225b
chore: update beads gitignore patterns for v0.59.0
ocean Mar 6, 2026
aafc076
chore: update beads gitignore patterns for v0.59.0
ocean Mar 6, 2026
199a298
Merge branch 'main' into dev
ocean Mar 10, 2026
8de2fb0
chore: Create zizmor.yml
ocean Mar 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
67 changes: 33 additions & 34 deletions .beads/.gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,52 +1,51 @@
# SQLite databases
*.db
*.db?*
*.db-journal
*.db-wal
*.db-shm
*.sqlite3
# Dolt database (managed by Dolt, not git)
dolt/
dolt-access.lock

# Daemon runtime files
daemon.lock
daemon.log
daemon-*.log.gz
daemon.pid
# Runtime files
bd.sock
bd.sock.startlock
sync-state.json
last-touched

# Local version tracking (prevents upgrade notification spam after git ops)
.local_version

# Legacy database files
db.sqlite
bd.db

# Worktree redirect file (contains relative path to main repo's .beads/)
# Must not be committed as paths would be wrong in other clones
redirect

# Merge artifacts (temporary files from 3-way merge)
beads.base.jsonl
beads.base.meta.json
beads.left.jsonl
beads.left.meta.json
beads.right.jsonl
beads.right.meta.json

# Sync state (local-only, per-machine)
# These files are machine-specific and should not be shared across clones
.sync.lock
.jsonl.lock
sync_base.jsonl
export-state/

# Dolt database (managed by Dolt remotes, not git)
dolt/
dolt-access.lock
# Ephemeral store (SQLite - wisps/molecules, intentionally not versioned)
ephemeral.sqlite3
ephemeral.sqlite3-journal
ephemeral.sqlite3-wal
ephemeral.sqlite3-shm

# Dolt server management (auto-started by bd)
dolt-server.pid
dolt-server.log
dolt-server.lock
dolt-server.port
dolt-server.activity
dolt-monitor.pid

# NOTE: Do NOT add negation patterns (e.g., !issues.jsonl) here.
# They would override fork protection in .git/info/exclude, allowing
# contributors to accidentally commit upstream issue databases.
# The JSONL files (issues.jsonl, interactions.jsonl) and config files
# are tracked by git by default since no pattern above ignores them.
# Backup data (auto-exported JSONL, local-only)
backup/
Comment on lines +37 to +38
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

backup/ being ignored conflicts with the tracked files added in this PR.

Git ignore rules do not apply to files already in the index, so the new .beads/backup/*.jsonl and backup_state.json files will still churn on every local export. Either untrack this directory or move any canonical seed data to a non-backup path before merging.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.beads/.gitignore around lines 37 - 38, The .beads/.gitignore entry
"backup/" conflicts with tracked files added in this PR; remove the churn by
either untracking the backup files or moving canonical data out of the ignored
path: run git rm --cached on the tracked .beads/backup/*.jsonl and
.beads/backup/backup_state.json (or otherwise remove them from the index) so the
ignore takes effect, or relocate the canonical seed files to a non-ignored
directory and update any references; ensure the .beads/.gitignore continues to
contain "backup/" if you intend to keep runtime exports untracked.


# Legacy files (from pre-Dolt versions)
*.db
*.db?*
*.db-journal
*.db-wal
*.db-shm
db.sqlite
bd.db
# NOTE: Do NOT add negation patterns here.
# They would override fork protection in .git/info/exclude.
# Config files (metadata.json, config.yaml) are tracked by git by default
# since no pattern above ignores them.
13 changes: 13 additions & 0 deletions .beads/backup/backup_state.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"last_dolt_commit": "fit9rrh4oo30fkpqacfa5i999p582hrc",
"last_event_id": 0,
"timestamp": "2026-03-06T07:05:13.345572Z",
"counts": {
"issues": 111,
"events": 0,
"comments": 0,
"dependencies": 14,
"labels": 4,
"config": 13
}
}
Empty file added .beads/backup/comments.jsonl
View file
Open in desktop
Empty file.
13 changes: 13 additions & 0 deletions .beads/backup/config.jsonl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{"key":"auto_compact_enabled","value":"false"}
{"key":"compact_batch_size","value":"50"}
{"key":"compact_model","value":"claude-haiku-4-5-20251001"}
{"key":"compact_parallel_workers","value":"5"}
{"key":"compact_tier1_days","value":"30"}
{"key":"compact_tier1_dep_levels","value":"2"}
{"key":"compact_tier2_commits","value":"100"}
{"key":"compact_tier2_days","value":"90"}
{"key":"compact_tier2_dep_levels","value":"5"}
{"key":"compaction_enabled","value":"false"}
{"key":"issue_prefix","value":"el"}
{"key":"schema_version","value":"6"}
{"key":"types.custom","value":"molecule,gate,convoy,merge-request,slot,agent,role,rig,message"}
14 changes: 14 additions & 0 deletions .beads/backup/dependencies.jsonl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-713","issue_id":"el-713.1","type":"parent-child"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-713","issue_id":"el-713.2","type":"parent-child"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-713","issue_id":"el-713.3","type":"parent-child"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-713","issue_id":"el-713.4","type":"parent-child"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-713","issue_id":"el-713.5","type":"parent-child"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-713","issue_id":"el-713.6","type":"parent-child"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-6yg","issue_id":"el-8wn","type":"blocks"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-oxv","issue_id":"el-8wn","type":"blocks"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-6yg","issue_id":"el-dcb","type":"blocks"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-oxv","issue_id":"el-dcb","type":"blocks"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-5mr","issue_id":"el-e9r","type":"blocks"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-ffc","issue_id":"el-ffc.1","type":"parent-child"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-5mr","issue_id":"el-gwo","type":"blocks"}
{"created_at":"2026-02-16T15:38:03Z","created_by":"import","depends_on_id":"el-5mr","issue_id":"el-pre","type":"blocks"}
Empty file added .beads/backup/events.jsonl
View file
Open in desktop
Empty file.
111 changes: 111 additions & 0 deletions .beads/backup/issues.jsonl
View file
Open in desktop

Large diffs are not rendered by default.

4 changes: 4 additions & 0 deletions .beads/backup/labels.jsonl
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
{"issue_id":"el-ffc","label":"status:in-progress"}
{"issue_id":"el-yr6","label":"security"}
{"issue_id":"el-yr6","label":"testing"}
{"issue_id":"el-yr6","label":"tests"}
23 changes: 23 additions & 0 deletions .github/workflows/zizmor.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
name: GitHub Actions Security Analysis with zizmor 🌈

on:
push:
branches: ["main"]
pull_request:
branches: ["**"]

permissions: {}

jobs:
zizmor:
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
Comment on lines +9 to +20
Copy link
Contributor

@coderabbitai coderabbitai bot Mar 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

For actions/checkout, what GITHUB_TOKENpermissions are required when a workflow setspermissions: {} globally and the job checks out the current repository?

💡 Result:

When you set permissions: {} at the workflow level, all GITHUB_TOKEN permissions become none unless explicitly granted [2]. To let actions/checkout check out the current repository, the job needs:

permissions:
  contents: read

This is the recommended (and effectively required) minimum for actions/checkout when using GITHUB_TOKEN authentication [1].

Sources: [1] [2]

Add contents: read permission for actions/checkout.

With permissions: {} set at the workflow level, the GITHUB_TOKEN receives no permissions unless explicitly granted. The job currently grants only security-events: write, but actions/checkout requires contents: read to access the repository. Without this permission, the workflow will fail at the checkout step before the zizmor scan executes.

Suggested fix 
 jobs:
   zizmor:
     runs-on: ubuntu-latest
     permissions:
+      contents: read
       security-events: write
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/zizmor.yml around lines 9 - 20, The workflow-level
permissions block is empty so GITHUB_TOKEN lacks repo access; add a contents:
read permission so the actions/checkout step can access the repository. Update
the permissions object (either the top-level permissions or the zizmor job
permissions) to include "contents: read" alongside existing "security-events:
write" so the Checkout repository step (uses: actions/checkout@...) succeeds
while keeping persist-credentials: false.


- name: Run zizmor 🌈
uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
4 changes: 4 additions & 0 deletions .gitignore
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,3 +45,7 @@ z_ecto_libsql_test*
# Implementation summaries and temporary docs
TEST_AUDIT_REPORT.md
TEST_COVERAGE_ISSUES_CREATED.md

# Dolt database files (added by bd init)
.dolt/
*.db
Loading