Empty Files and Private Actions

[jamesc-grafana]

Hey, we're trying to use zizmor across our estate, and are finding that when it encounters an empty file the application panics, and the same is true when it encounters a private action. Should this be something that is reported as a finding rather than panicking and failing the whole run?

[woodruffw]

Hi @jamesc-grafana, thanks for opening a discussion.

Could you provide a bit more detail, or a repro case for me to look at? Empty files shouldn't cause any kind of panic, but it's possible there's an edge case I haven't thought of.

Similarly, private actions should work correctly, assuming the API token passed to zizmor has privilege to read their parent repos. The latter could potentially become a soft error rather than a hard error, however 🙂

[jamesc-grafana]

Hey @woodruffw 👋 thanks for getting back to me so quickly. We're seeing this when it's in a nested .github/workflows directory. To avoid sharing our entire deployment repository, I've created a more focused repository on my personal GitHub that runs zizmor on a nested empty file.

Thanks for the info about the private actions, I think we'll probably use a GitHub Application for that side of things

Action Run
Pull Request

[woodruffw]

No problem, and thanks for making a reproducer!

Ah yeah, I see what's happening here -- an empty file isn't a valid YAML file, so we fail hard rather than skipping it. I did that originally because I was under the impression that GitHub Actions fails if it can't parse a workflow definition, but they might have an skip condition for completely empty files.

I'll look into that more in a bit, but either way this case can definitely be improved on zizmor's side -- the error message itself will get better now that #719 has landed, but we should probably also just skip entirely empty files.

[woodruffw]

(Moving this to a bug issue.)