Fix zizmor linting failures in GitHub Actions workflows

[Copilot]

The GITHUB_ACTIONS_ZIZMOR super-linter check was failing due to one high-severity vulnerability and two medium-severity warnings across three workflow files.

Changes

• linter.yml: Upgrade super-linter/super-linter from 8.2.1 → 8.3.1 to remediate GHSA-r79c-pqj3-577x
• rebase.yml: Suppress archived-uses for cirrus-actions/rebase — repository is archived but action remains functional with no viable replacement
• update.yml: Suppress secrets-outside-env for secrets.WORKFLOW_TOKEN — intentional fine-grained PAT with contents:write/workflows:write scopes required for the job

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[qodo-code-review]

Review Summary by Qodo

Fix zizmor linting failures in GitHub Actions workflows

🐞 Bug fix

Walkthroughs

Description

• Upgrade super-linter to v8.3.1 fixing security vulnerability
• Suppress archived-uses warning for cirrus-actions/rebase action
• Suppress secrets-outside-env warning for workflow token usage

Diagram

flowchart LR
  A["Linting Issues<br/>Detected"] -->|Upgrade| B["super-linter<br/>v8.3.1"]
  A -->|Suppress| C["archived-uses<br/>rebase.yml"]
  A -->|Suppress| D["secrets-outside-env<br/>update.yml"]
  B --> E["Zizmor Checks<br/>Pass"]
  C --> E
  D --> E

Loading

File Changes

1. .github/workflows/linter.yml 🐞 Bug fix +1/-1

Upgrade super-linter to v8.3.1

• Upgrade super-linter action from v8.2.1 to v8.3.1
• Update action reference hash to v8.3.1 commit
• Remediates GHSA-r79c-pqj3-577x security vulnerability

.github/workflows/linter.yml

---

2. .github/workflows/rebase.yml 🐞 Bug fix +1/-1

Suppress archived-uses warning for rebase action

• Add zizmor ignore directive for archived-uses warning
• Suppress linting check for cirrus-actions/rebase action
• Action remains functional despite archived repository status

.github/workflows/rebase.yml

---

3. .github/workflows/update.yml 🐞 Bug fix +1/-1

Suppress secrets-outside-env warning for workflow token

• Add zizmor ignore directive for secrets-outside-env warning
• Suppress linting check for WORKFLOW_TOKEN secret usage
• Token is intentional fine-grained PAT with required scopes

.github/workflows/update.yml

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (2) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Archived action warning suppressed 🐞 Bug ⛨ Security

Description

.github/workflows/rebase.yml adds # zizmor: ignore[archived-uses] on the cirrus-actions/rebase
dependency, so CI will no longer surface that this dependency is flagged as archived/unmaintained.
This reduces security visibility and can delay detection if the action later becomes unsafe or stops
working.

Code

.github/workflows/rebase.yml[29]

+        uses: cirrus-actions/rebase@b87d48154a87a85666003575337e27b8cd65f691 # 1.8 # zizmor: ignore[archived-uses]

Evidence

The workflow explicitly suppresses zizmor’s archived-action finding on the exact uses: line, which
removes an automated signal for this dependency going forward.

.github/workflows/rebase.yml[20-31]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow suppresses `zizmor`'s `archived-uses` warning on the `cirrus-actions/rebase` action, reducing security visibility for an unmaintained dependency.

### Issue Context
This PR intentionally adds an inline suppression. Even if the suppression is necessary, it should be paired with explicit rationale and/or a plan to migrate to a maintained action/fork.

### Fix Focus Areas
- .github/workflows/rebase.yml[28-31]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. Secret lint warning suppressed 🐞 Bug ⛨ Security

Description

.github/workflows/update.yml suppresses zizmor: ignore[secrets-outside-env] for
secrets.WORKFLOW_TOKEN passed directly into actions/checkout inputs, preventing the linter from
flagging this pattern on future edits. This reduces the chance of catching accidental
expansion/misuse of a high-privilege PAT in workflow inputs.

Code

.github/workflows/update.yml[127]

+          token: ${{ secrets.WORKFLOW_TOKEN }} # zizmor: ignore[secrets-outside-env]

Evidence

The workflow explicitly suppresses a secrets-handling warning at the step where a fine-grained PAT
is passed via with: token: ..., which removes an automated guardrail for secret placement at this
location.

.github/workflows/update.yml[118-136]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
The workflow silences `zizmor`'s `secrets-outside-env` warning for `WORKFLOW_TOKEN` passed directly as an action input.

### Issue Context
Even if intentional, suppressing this warning removes a guardrail for future modifications on this step.

### Fix Focus Areas
- .github/workflows/update.yml[124-129]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more