From ed767a6a69c7cf218b6473f4acbc31c569f3fed2 Mon Sep 17 00:00:00 2001
From: Daniel Hast <hast.daniel@protonmail.com>
Date: Sat, 7 Mar 2026 16:06:54 -0500
Subject: [PATCH] ci: ignore known Zizmor findings

This avoids false positives from existing uses of `GITHUB_ENV` and
`pull_request_target` that are safe, as well as from cache usage in a
workflow that doesn't produce release artifacts.
---
 .github/actions/cache/action.yml | 8 ++++----
 .github/actions/setup/action.yml | 2 +-
 .github/zizmor.yml               | 9 +++++++++
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/.github/actions/cache/action.yml b/.github/actions/cache/action.yml
index 591bb67e66..f48269e0d9 100644
--- a/.github/actions/cache/action.yml
+++ b/.github/actions/cache/action.yml
@@ -3,22 +3,22 @@ description: "This action caches neovim dependencies"
 runs:
   using: "composite"
   steps:
-    - run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV
+    - run: echo "CACHE_KEY=${GITHUB_WORKFLOW}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
-    - run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV
+    - run: echo "CACHE_KEY=${GITHUB_JOB}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
     - if: ${{ matrix }}
       env:
         MATRIX_JOIN: ${{ join(matrix.*, '-') }}
-      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV
+      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
     - if: ${{ matrix.build }}
       env:
         MATRIX_JOIN: ${{ join(matrix.build.*, '-') }}
-      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV
+      run: echo "CACHE_KEY=${CACHE_KEY}-${MATRIX_JOIN}" >> $GITHUB_ENV # zizmor: ignore[github-env]
       shell: bash
 
     - id: image
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
index b3b1d15845..a3ad2e98c5 100644
--- a/.github/actions/setup/action.yml
+++ b/.github/actions/setup/action.yml
@@ -10,7 +10,7 @@ runs:
   steps:
     - name: Set $BIN_DIR
       shell: bash
-      run: echo "$BIN_DIR" >> $GITHUB_PATH
+      run: echo "$BIN_DIR" >> $GITHUB_PATH # zizmor: ignore[github-env]
 
     - if: ${{ runner.os != 'Windows' }}
       name: Set ulimit
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 4241b397b0..2976bbe3fa 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -1,4 +1,13 @@
 rules:
+  cache-poisoning:
+    ignore:
+      - test.yml
+  dangerous-triggers:
+    ignore:
+      - backport.yml
+      - labeler_pr.yml
+      - reviewers_add.yml
+      - reviewers_remove.yml
   unpinned-uses:
     config:
       policies: