Unable to use online audits

zizmor is being integrated into [pytest-asyncio](https://github.com/pytest-dev/pytest-asyncio/pull/1122).

In that setup, zizmor is already run as a pre-commit hook. The pre-commit hook doesn't require a GitHub token so that contributors aren't forced to set up a token. As a result, the hook only runs the checks that don't require a GH_TOKEN.

I want to enable the additional zizmor checks as part of the pipeline. This doesn't seem to be possible with this reusable workflow.

My understanding is that a [GitHub token is automatically provided for each workflow run ](https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication#using-the-github_token-in-a-workflow), but [secrets have to be passed explicitly to reusable workflows](https://docs.github.com/en/actions/sharing-automations/reusing-workflows#calling-a-reusable-workflow). Since this workflow doesn't accept any secrets, that means the zizmore workflow cannot make use of it at the moment.

My questions are:
1. Do you think it makes sense to [accepts a GitHub token as a secret](https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets)?
2. If so, which permissions would be required on the token?

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Unable to use online audits #1

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Unable to use online audits #1

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions