Skip to content

ci: add push trigger to zizmor workflow for changes to workflow files on main#973

Closed
Copilot wants to merge 2 commits intomainfrom
copilot/update-zizmor-workflow-trigger
Closed

ci: add push trigger to zizmor workflow for changes to workflow files on main#973
Copilot wants to merge 2 commits intomainfrom
copilot/update-zizmor-workflow-trigger

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 28, 2026
edited
Loading

The zizmor workflow previously only ran on pull_request (path-filtered) and a weekly schedule, leaving a gap for direct pushes to main that modify workflow files.

Changes

  • .github/workflows/zizmor.yml — adds a push trigger scoped to the main branch and .github/workflows/** paths:
on:
  pull_request:
    paths:
      - ".github/workflows/**"
  push:
    branches:
      - main
    paths:
      - ".github/workflows/**"
  schedule:
    - cron: "0 0 * * 6"

All existing triggers and behaviour are preserved. The concurrency group (keyed on github.ref) correctly serialises/cancels repeated pushes on the same branch. permissions: contents: read is unchanged.

Original prompt

Update PR #968 in CycloneDX/cyclonedx-python-lib to also run the zizmor workflow when workflow files change on push.

Context:

  • PR adds .github/workflows/zizmor.yml.
  • Currently triggers are:
    • pull_request with paths: [".github/workflows/**"]
    • schedule weekly.

Task:

  1. Modify .github/workflows/zizmor.yml to include a push trigger that runs when .github/workflows/** changes.
  2. Limit the push trigger to the repository default branch (determine actual default branch in the repo; do not assume main). If additional long-lived branches (e.g., master, develop, release branches) are clearly in use, consider including them only if appropriate—otherwise just default branch.
  3. Keep existing triggers and behavior intact.
  4. Ensure YAML remains valid and consistent with least-privilege approach already used.

Deliverable:

  • Commit to the PR branch updating the workflow file.

Reference:

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: this PR adds a runner on schedule on on pull_request.

would it be benefitial to also have it on any change of a file ".github/workflows/**" ?

Assistant: Yes—it’s generally beneficial to run this on pushes that change .github/workflows/**, not just on pull_request and a weekly schedule.

Why add push (workflow-file changes)?

  • Catches issues earlier on branches that don’t use PRs (direct pushes to default branch, maintenance branches, release branches, or admins merging via the UI).
  • Covers “post-merge” workflow edits (e.g., someone tweaks a workflow after merge, or via a hotfix commit).
  • Reduces the window of exposure compared to weekly schedule (you’ll get feedback immediately when workflow security posture changes).

When it might not add much

  • If your repo requires PRs for all changes to .github/workflows/** (branch protection + CODEOWNERS + no direct pushes), then pull_request already covers most cases.
  • If you’re concerned about CI load/noise, limiting push to specific branches helps.

Recommended configuration

Add a push trigger restricted to workflow paths and (optionally) to protected branches:

on:
  pull_request:
    paths:
      - ".github/workflows/**"
  push:
    branches:
      - main
      - master
    paths:
      - ".github/workflows/**"
  schedule:
    - cron: "0 0 * * 6"

If the default branch isn’t main/master, use the actual default branch name.

One nuance

You already have concurrency: group: ${{ github.workflow }}-${{ github.ref }}, which is fine; on push it’ll group by the branch ref, so repeated pushes will cancel in-progress runs on the same branch.

If you tell me the repo’s default branch name and whether workflow changes can be pushed directly, I can suggest the tightest trigger set.

User: okay, add this in

Assistant: I’ve queued up the change to add a push trigger (scoped to the repo’s default branch and only when .github/workflows/** changes), and I’m waiting on your approval/confirmation in the dialog before I can apply it to the PR.

This pull request was created from Copilot chat.

@codacy-production
Copy link
Copy Markdown

codacy-production Bot commented Apr 28, 2026
edited
Loading

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@jkowalleck jkowalleck closed this Apr 28, 2026
Copilot AI changed the title [WIP] Update Zizmor workflow to run on push when workflow files change ci: add push trigger to zizmor workflow for changes to workflow files on main Apr 28, 2026
Copilot stopped work on behalf of jkowalleck due to an error April 28, 2026 14:06
The session was cancelled by the user.
Copilot AI requested a review from jkowalleck April 28, 2026 14:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck Awaiting requested review from jkowalleck

Assignees

@jkowalleck jkowalleck

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jkowalleck