Skip to content

fix(ci): add explicit top-level permissions to existing workflows#24

Open
LukeEvansTech wants to merge 7 commits into
mainfrom
chore/add-super-linter
Open

fix(ci): add explicit top-level permissions to existing workflows#24
LukeEvansTech wants to merge 7 commits into
mainfrom
chore/add-super-linter

Conversation

@LukeEvansTech
Copy link
Copy Markdown
Owner

@LukeEvansTech LukeEvansTech commented May 4, 2026

Follow-up to the super-linter rollout. CHECKOV CKV2_GHA_1 ("top-level permissions not set to write-all") fires on workflows without an explicit top-level permissions block. Adding the GitHub-recommended least-privilege default (permissions: contents: read) at the top of each existing workflow.

Per-job overrides are intact and take precedence at runtime.

@LukeEvansTech
ci: replace meta-linter with shared super-linter (soft launch)
2b85002
@LukeEvansTech
ci: graduate super-linter to blocking (repo is clean)
b8b1c84
@LukeEvansTech
fix(ci): add top-level 'permissions: contents: read' to existing work…
905f281 
…flows

CHECKOV CKV2_GHA_1 ("top-level permissions not set to write-all") fires
on workflows without an explicit top-level permissions block. Add the
GitHub-recommended least-privilege default; per-job overrides remain
intact and take precedence at runtime.
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Fail ❌

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

GITHUB_ACTIONS_ZIZMOR 
�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:15:9
   �[1m�[94m|�[0m
�[1m�[94m15�[0m �[1m�[94m|�[0m         - name: Checkout repository
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@v6
�[1m�[94m17�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m
�[1m�[94m18�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m       # PowerShell Core is already pre-installed on GitHub-hosted runners
   �[1m�[94m|�[0m �[1m�[96m|_________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:16:15
   �[1m�[94m|�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:40:63
   �[1m�[94m|�[0m
�[1m�[94m12�[0m �[1m�[94m|�[0m   publish:
   �[1m�[94m|�[0m   �[1m�[94m-------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m40�[0m �[1m�[94m|�[0m             Publish-Module -Path $ModulePath -NuGetApiKey ${{ secrets.PSGALLERY_API_KEY }} -Repository PSGallery -Verbose
   �[1m�[94m|�[0m                                                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:33:7
   �[1m�[94m|�[0m
�[1m�[94m33�[0m �[1m�[94m|�[0m       - name: Check out repository
   �[1m�[94m|�[0m �[1m�[96m _______^�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m       uses: actions/checkout@v6
   �[1m�[94m|�[0m �[1m�[96m|_______________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:34:13
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m       uses: actions/checkout@v6
   �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:52:13
   �[1m�[94m|�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m       uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:58:13
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m       uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:33:9
   �[1m�[94m|�[0m
�[1m�[94m33�[0m �[1m�[94m|�[0m         - name: Check out repository
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m �[1m�[96m|_________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:52:15
   �[1m�[94m|�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:58:15
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:33:7
   �[1m�[94m|�[0m
�[1m�[94m33�[0m �[1m�[94m|�[0m       - name: Check out repository
   �[1m�[94m|�[0m �[1m�[96m _______^�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m       uses: actions/checkout@v6
   �[1m�[94m|�[0m �[1m�[96m|_______________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:34:13
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m       uses: actions/checkout@v6
   �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:52:13
   �[1m�[94m|�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m       uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:58:13
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m       uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m             �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m31�[39m findings (�[1m�[93m10�[39m suppressed, �[92m14�[39m fixable�[0m): �[35m0�[39m informational, �[36m4�[39m low, �[33m7�[39m medium, �[31m10�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-publish-module.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-linux.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-macos.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-windows.yml
YAML_PRETTIER 
Checking formatting...[�[33mwarn�[39m] .github/workflows/psreddit-publish-module.yml
[�[33mwarn�[39m] .github/workflows/psreddit-test-on-linux.yml
[�[33mwarn�[39m] .github/workflows/psreddit-test-on-windows.yml
[�[33mwarn�[39m] Code style issues found in 3 files. Run Prettier with --write to fix.

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

GITHUB_ACTIONS_ZIZMOR 
�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:15:9
   �[1m�[94m|�[0m
�[1m�[94m15�[0m �[1m�[94m|�[0m         - name: Checkout repository
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@v6
�[1m�[94m17�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m
�[1m�[94m18�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m       # PowerShell Core is already pre-installed on GitHub-hosted runners
   �[1m�[94m|�[0m �[1m�[96m|_________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:16:15
   �[1m�[94m|�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:40:63
   �[1m�[94m|�[0m
�[1m�[94m12�[0m �[1m�[94m|�[0m   publish:
   �[1m�[94m|�[0m   �[1m�[94m-------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m40�[0m �[1m�[94m|�[0m             Publish-Module -Path $ModulePath -NuGetApiKey ${{ secrets.PSGALLERY_API_KEY }} -Repository PSGallery -Verbose
   �[1m�[94m|�[0m                                                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:33:9
   �[1m�[94m|�[0m
�[1m�[94m33�[0m �[1m�[94m|�[0m         - name: Check out repository
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m �[1m�[96m|_________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:52:15
   �[1m�[94m|�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:58:15
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:33:9
   �[1m�[94m|�[0m
�[1m�[94m33�[0m �[1m�[94m|�[0m         - name: Check out repository
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m �[1m�[96m|_________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:52:15
   �[1m�[94m|�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:58:15
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:33:9
   �[1m�[94m|�[0m
�[1m�[94m33�[0m �[1m�[94m|�[0m         - name: Check out repository
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m �[1m�[96m|_________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:52:15
   �[1m�[94m|�[0m
�[1m�[94m52�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:58:15
   �[1m�[94m|�[0m
�[1m�[94m58�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m31�[39m findings (�[1m�[93m10�[39m suppressed, �[92m14�[39m fixable�[0m): �[35m0�[39m informational, �[36m4�[39m low, �[33m7�[39m medium, �[31m10�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-publish-module.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-linux.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-macos.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-windows.yml

@LukeEvansTech
fix(ci): apply zizmor + prettier auto-fixes; ensure top-level permiss…
848ca15 
…ions

- zizmor --fix=all: adds 'persist-credentials: false' to actions/checkout
  invocations (artipacked audit) and other safe security fixes.
- prettier --write: normalises workflow YAML formatting (YAML_PRETTIER).
- ensures top-level 'permissions: contents: read' on every workflow
  (CKV2_GHA_1).
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

GITHUB_ACTIONS_ZIZMOR 
�[1m�[91merror[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:14:3
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   pages: write
   �[1m�[94m|�[0m   �[1m�[91m^^^^^^^^^^^^�[0m �[1m�[91mpages: write is overly broad at the workflow level�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[91merror[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:15:3
   �[1m�[94m|�[0m
�[1m�[94m15�[0m �[1m�[94m|�[0m   id-token: write
   �[1m�[94m|�[0m   �[1m�[91m^^^^^^^^^^^^^^^�[0m �[1m�[91mid-token: write is overly broad at the workflow level�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:26:15
   �[1m�[94m|�[0m
�[1m�[94m26�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:32:15
   �[1m�[94m|�[0m
�[1m�[94m32�[0m �[1m�[94m|�[0m         uses: actions/setup-python@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:46:15
   �[1m�[94m|�[0m
�[1m�[94m46�[0m �[1m�[94m|�[0m         uses: actions/configure-pages@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:49:15
   �[1m�[94m|�[0m
�[1m�[94m49�[0m �[1m�[94m|�[0m         uses: actions/upload-pages-artifact@v5
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:62:15
   �[1m�[94m|�[0m
�[1m�[94m62�[0m �[1m�[94m|�[0m         uses: actions/deploy-pages@v5
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:16:15
   �[1m�[94m|�[0m
�[1m�[94m16�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:42:63
   �[1m�[94m|�[0m
�[1m�[94m12�[0m �[1m�[94m|�[0m   publish:
   �[1m�[94m|�[0m   �[1m�[94m-------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m             Publish-Module -Path $ModulePath -NuGetApiKey ${{ secrets.PSGALLERY_API_KEY }} -Repository PSGallery -Verbose
   �[1m�[94m|�[0m                                                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:54:15
   �[1m�[94m|�[0m
�[1m�[94m54�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:60:15
   �[1m�[94m|�[0m
�[1m�[94m60�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:54:15
   �[1m�[94m|�[0m
�[1m�[94m54�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:60:15
   �[1m�[94m|�[0m
�[1m�[94m60�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: actions/checkout@v6
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:54:15
   �[1m�[94m|�[0m
�[1m�[94m54�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:60:15
   �[1m�[94m|�[0m
�[1m�[94m60�[0m �[1m�[94m|�[0m         uses: actions/upload-artifact@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m37�[39m findings (�[1m�[93m13�[39m suppressed, �[92m15�[39m fixable�[0m): �[35m0�[39m informational, �[36m0�[39m low, �[33m7�[39m medium, �[31m17�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-deploy-docs.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-publish-module.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-linux.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-macos.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-windows.yml

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 5, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Fail ❌
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON Pass ✅
JSON_PRETTIER Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

GITHUB_ACTIONS_ZIZMOR 
�[1m�[91merror[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:14:3
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   pages: write
   �[1m�[94m|�[0m   �[1m�[91m^^^^^^^^^^^^�[0m �[1m�[91mpages: write is overly broad at the workflow level�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[91merror[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-deploy-docs.yml:15:3
   �[1m�[94m|�[0m
�[1m�[94m15�[0m �[1m�[94m|�[0m   id-token: write
   �[1m�[94m|�[0m   �[1m�[91m^^^^^^^^^^^^^^^�[0m �[1m�[91mid-token: write is overly broad at the workflow level�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-publish-module.yml:42:63
   �[1m�[94m|�[0m
�[1m�[94m12�[0m �[1m�[94m|�[0m   publish:
   �[1m�[94m|�[0m   �[1m�[94m-------�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m42�[0m �[1m�[94m|�[0m             Publish-Module -Path $ModulePath -NuGetApiKey ${{ secrets.PSGALLERY_API_KEY }} -Repository PSGallery -Verbose
   �[1m�[94m|�[0m                                                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-linux.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-macos.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:28:29
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_ID: ${{ secrets.REDDIT_CLIENT_ID }}
   �[1m�[94m|�[0m                             �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/psreddit-test-on-windows.yml:29:33
   �[1m�[94m|�[0m
�[1m�[94m24�[0m �[1m�[94m|�[0m   test:
   �[1m�[94m|�[0m   �[1m�[94m----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m29�[0m �[1m�[94m|�[0m       REDDIT_CLIENT_SECRET: ${{ secrets.REDDIT_CLIENT_SECRET }}
   �[1m�[94m|�[0m                                 �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m22�[39m findings (�[1m�[93m13�[39m suppressed�[0m): �[35m0�[39m informational, �[36m0�[39m low, �[33m7�[39m medium, �[31m2�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/lint.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-deploy-docs.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-publish-module.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-linux.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-macos.yml
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/psreddit-test-on-windows.yml

@LukeEvansTech
fix(ci): move caller permissions to job level + bump shared-workflows…
6486bbe 
… SHA

- Top-level permissions reduced to 'contents: read' (least-privilege).
- Job-level adds 'statuses: write' + 'pull-requests: write' for super-linter.
- Bumped LukeEvansTech/shared-workflows pin to current v1 SHA.

Resolves zizmor excessive-permissions on the lint.yml caller.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@LukeEvansTech