Skip to content

Do not use cmd shell in GitHub Actions #9327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
radarhere wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Do not use cmd shell in GitHub Actions #9327

radarhere wants to merge 2 commits into from
+22 −25

Conversation

@radarhere
Copy link
Member

@radarhere radarhere commented Dec 5, 2025
edited
Loading

#9318 upgraded zizmor to include https://docs.zizmor.sh/audits/#obfuscation

The CMD shell has no formal grammar, making it impossible to accurately analyze for security issues.

This PR allows for that by

  1. Changing test-windows.yml to avoid the cmd shell.
  2. Moving the cmd shell instructions from wheels.yml into a separate file, where they will not bother zizmor. It is not an ideal solution, but I suspect an ideal solution would involve changing winbuild to no longer generate cmd files, and that seems like a step too far. This will at least allow zizmor's rule to be in place, so that we can enforce it by default.

@radarhere radarhere changed the title Do not use cmd shell in Windows GitHub Actions Do not use cmd shell in GitHub Actions Dec 5, 2025
@radarhere radarhere mentioned this pull request Dec 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@radarhere