CI: fix zizmor workflow audit step

2026-04-19 21:21:10 +00:00 · 2026-03-17 00:03:11 -05:00
parent 1616d4c0f4
commit 012d272e85
1 changed files with 5 additions and 16 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -463,25 +463,14 @@ jobs:
        run: pre-commit run --all-files detect-private-key

      - name: Audit changed GitHub workflows with zizmor
+        env:
+          BASE_SHA: ${{ github.event_name == 'push' && github.event.before || github.event.pull_request.base.sha }}
        run: |
          set -euo pipefail

-          BASE="$(
-            python - <<'PY'
-            import json
-            import os
-
-            with open(os.environ["GITHUB_EVENT_PATH"], "r", encoding="utf-8") as fh:
-                event = json.load(fh)
-
-            if os.environ["GITHUB_EVENT_NAME"] == "push":
-                print(event["before"])
-            else:
-                print(event["pull_request"]["base"]["sha"])
-            PY
-          )"
-
-          mapfile -t workflow_files < <(git diff --name-only "$BASE" HEAD -- '.github/workflows/*.yml' '.github/workflows/*.yaml')
+          mapfile -t workflow_files < <(
+            git diff --name-only "$BASE_SHA" HEAD -- '.github/workflows/*.yml' '.github/workflows/*.yaml'
+          )
          if [ "${#workflow_files[@]}" -eq 0 ]; then
            echo "No workflow changes detected; skipping zizmor."
            exit 0