A new rule added in zizmor v1.23.0, this requires that secrets be used only in
a deployment environment.
We do not use environment secrets or deployments, and, per zizmor,
"environment secrets do not interact correctly with reusable workflows
unless the caller workflow uses `secrets: inherit`, which is itself flagged by"
the `secrets-inherit` rule.
`zizmor` is a tool that uses static analysis to find potential security
issues in GitHub Actions [0]. (Yes, it's a bit absurd that GitHub
made a CI system so complicated that tools like this were created, but
I digress.)
Given our increase in GHA usage recently, I think this is a good step
towards keeping our security posture in tip-top shape. (It also keeps
with the theme of automating as many things as possible!)
The rule related to the usages of dangerous-triggers have been disabled
to avoid false-positives. Explanations about the usage of
`pull_request_target` and expectations around its usage can be found in
`.github/workflows/README.md`.
[0]: https://woodruffw.github.io/zizmor/
Co-authored-by: Thomas Gerbet <thomas@gerbet.me>
