William Woodruff

1. Dear GitHub: no YAML anchors, please

   TL;DR: for a very long time, GitHub Actions lacked support for YAML anchors.

   Published Mon, Sep 22, 2025

2. One year of zizmor

   This is a dual purpose post: I’ve released zizmor v1.13.0, and zizmor has turned one year old1! It depends on how you count: zizmor’s first commit was roughly ↩

   Published Sun, Sep 14, 2025

3. Fun with finite state transducers

   I recently1 solved an interesting problem inside zizmor with a type of state machine/automaton I hadn’t used before: a finite state transducer (FST). A few months ago. ↩

   Published Thu, Aug 14, 2025

4. A new adventure

   This is a personal announcement post: after 7 years at Trail of Bits, I’m leaving to do something new. Specifically, I’ll be joining Astral to help them build the next generation of Python developer tooling.

   Published Tue, Jun 17, 2025

5. Bypassing GitHub Actions policies in the dumbest way possible

   TL;DR: GitHub Actions provides a policy mechanism for limiting the kinds of actions and reusable workflows that can be used within a repository, organization, or entire enterprise. Unfortunately, this mechanism is trivial to bypass. GitHub has told me that they don’t consider this a security issue (I…

   Published Wed, Jun 11, 2025

6. A Discord server and new GitHub organization for zizmor

   TL;DR: zizmor now has a Discord server and a new GitHub organization (@zizmorcore). Feel free to join the Discord server, and be on the lookout for an official transition of @woodruffw/zizmor to the new organization in the coming weeks!

   Published Wed, May 7, 2025

7. Be aware of the Makefile effect

   Update 2024-01-12: Ken Shirriff has an an excellent blog post on why “cargo cult” is a poor term of art.

   Published Fri, Jan 10, 2025

8. zizmor 1.0

   Happy New Year!

   Published Thu, Jan 2, 2025

9. zizmor would have caught the Ultralytics workflow vulnerability

   TL;DR: zizmor would have caught the vulnerability that caused this…mostly. Read on for details.

   Published Fri, Dec 6, 2024

10. Security means securing people where they are

    Standard disclaimer: These are my personal opinions, not the opinions of my employer, PyPI, or any open source I projects I participate in (either for funsies or because I’m paid to). In particular, nothing I write below can be interpreted to imply (or imply the negation of) similar opinions by any of…

    Published Mon, Nov 18, 2024