Feature: Depot CI Support

[cedws]

Pre-submission checks

• I am not reporting a bug (crash, false positive/negative, etc). These must be filed via the bug report template.
• I have looked through both the open and closed issues for a duplicate request.

What's the problem this feature will solve?

Depot CI recently released: https://depot.dev/blog/now-available-depot-ci

Depot CI workflows are separate from GitHub workflows and live in .depot. Although Zizmor does not search inside .depot, it can be ran manually against individual Depot workflow files. This works currently because Depot workflows are largely compatible (for now.)

This feature request is for asking whether Zizmor will support Depot workflows given these assumptions:

• There will be larger divergences in future
• Depot CI is a commercial product and the spec is not open source

See here for compatibility matrix: https://depot.dev/docs/ci/compatibility

Describe the solution you'd like

A short term solution could be to add .depot as a search path for Zizmor, but this could be broken. I'm not sure what kind of compatibility Depot workflows will have in future.

Additional context

No response

[woodruffw]

Hi @cedws, thanks for opening this!

I think the story here will be similar to requests for other CI platforms: I'm not opposed to them in principle, but they're significant undertakings that will require buy-in/coordination with people who know those platforms better than I do.

For Deport in particular: if they have a developer advocate or some kind of other role who would be willing to work with me on this (e.g. to help with things that aren't documented), then I would consider adding dedicated support for their workflow formats. Until then, it'll probably have to be "best effort" similar to how people sometimes use zizmor with Woodpecker (?) and other GHA clones 🙂

(I'm marking this one as sponsorable as well.)

[cedws]

I'm open to working with you on this. My employer pays for Depot and we are considering adopting Depot CI at the moment, so we can dogfood. We also use Zizmor of course.

Would it be a simpler solution be to do an internal translation to GHA's schema? I suppose this would break line numbers and such though. Maybe it could be developed as a separate module so you're less on the hook for maintaining it.

I would send PRs but unfortunately I don't write Rust.

@kylegalbraith @jacobwgillespie 👀

[woodruffw]

Would it be a simpler solution be to do an internal translation to GHA's schema? I suppose this would break line numbers and such though. Maybe it could be developed as a separate module so you're less on the hook for maintaining it.

Unfortunately I think this would violate too many of zizmor's internal assumptions -- a critical internal assumption at the moment is that every symbolic location (like "step 3 in some job") can be concretized into a real source span. Without that the SARIF, etc. formats can't be generated.

It's helpful to know you'd be willing to dogfood this, though!