William Woodruff

1. A new adventure

   This is a personal announcement post: after 7 years at Trail of Bits, I’m leaving to do something new. Specifically, I’ll be joining Astral to help them build the next generation of Python developer tooling.

   Published Tue, Jun 17, 2025

2. Bypassing GitHub Actions policies in the dumbest way possible

   TL;DR: GitHub Actions provides a policy mechanism for limiting the kinds of actions and reusable workflows that can be used within a repository, organization, or entire enterprise. Unfortunately, this mechanism is trivial to bypass. GitHub has told me that they don’t consider this a security issue (I…

   Published Wed, Jun 11, 2025

3. A Discord server and new GitHub organization for zizmor

   TL;DR: zizmor now has a Discord server and a new GitHub organization (@zizmorcore). Feel free to join the Discord server, and be on the lookout for an official transition of @woodruffw/zizmor to the new organization in the coming weeks!

   Published Wed, May 7, 2025

4. Be aware of the Makefile effect

   Update 2024-01-12: Ken Shirriff has an an excellent blog post on why “cargo cult” is a poor term of art.

   Published Fri, Jan 10, 2025

5. zizmor 1.0

   Happy New Year!

   Published Thu, Jan 2, 2025

6. zizmor would have caught the Ultralytics workflow vulnerability

   TL;DR: zizmor would have caught the vulnerability that caused this…mostly. Read on for details.

   Published Fri, Dec 6, 2024

7. Security means securing people where they are

   Standard disclaimer: These are my personal opinions, not the opinions of my employer, PyPI, or any open source I projects I participate in (either for funsies or because I’m paid to). In particular, nothing I write below can be interpreted to imply (or imply the negation of) similar opinions by any of…

   Published Mon, Nov 18, 2024

8. Introducing zizmor: now you can have beautiful clean workflows

   This is an announcement for zizmor, a new tool for finding security issues in GitHub Actions setups. You can run it on one or more workflow definitions1, and it’ll emit cargo-style diagnostics, SARIF, or JSON as you please. Support for custom actions (e.g. action.yml within actions/checkout or similar…

   Published Sun, Oct 27, 2024

9. YAML feature extraction with yamlpath

   Another Rust crate announcement: this time I’m announcing yamlpath, a small library for format-preserving YAML feature extraction.

   Published Tue, Sep 10, 2024

10. Tracking and publishing my TILs

    Mini-post.

    Published Sun, Aug 18, 2024