Files
bevy/.github/dependabot.yml
Benjamin Brienen 13ed0a69d2 Address some Zizmor lints (#22817)
# Objective

Minimize security issues
Real issues don't get drowned out from fixable small issues

## Solution

Apply recommended fixes such as passing secrets explicitly.
Ignore a lint in 2 workflows because it is necessary.

## Testing

Ran Zizmor locally

```
 techn0@IO  ~/source/bevy   main ±  zizmor . --fix=all
🌈 zizmor v1.22.0
 INFO audit: zizmor: 🌈 completed ./.github/actions/install-linux-deps/action.yml
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/action-on-PR-labeled.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci-comment-failures.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/dependencies.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/docs.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/example-run-report.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/example-run.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/post-release.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/security-static-analysis.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/send-screenshots-to-pixeleagle.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/update-caches.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/validation-jobs.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/weekly.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/welcome.yml
error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> ./.github/workflows/ci-comment-failures.yml:6:1
   |
 6 | / on:
 7 | |   workflow_run:
 8 | |     workflows: ["CI"]
 9 | |     types:
10 | |       - completed
   | |_________________^ workflow_run is almost always used insecurely
   |
   = note: audit confidence → Medium

error[dangerous-triggers]: use of fundamentally insecure workflow trigger
  --> ./.github/workflows/example-run-report.yml:10:1
   |
10 | / on:
11 | |   workflow_run:
12 | |     workflows: ["Example Run"]
13 | |     types:
14 | |       - completed
   | |_________________^ workflow_run is almost always used insecurely
   |
   = note: audit confidence → Medium

121 findings (2 ignored, 117 suppressed): 0 informational, 0 low, 0 medium, 2 high
```
2026-02-06 19:14:45 +00:00

27 lines
484 B
YAML

version: 2
updates:
- package-ecosystem: cargo
directory: /
schedule:
interval: weekly
labels:
- "C-Dependencies"
groups:
wgpu:
patterns:
- "*wgpu*"
- "naga*"
accesskit:
patterns:
- "accesskit*"
cooldown:
default-days: 7
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
labels:
- "C-Dependencies"
cooldown:
default-days: 7