William Woodruff

1. We should all be using dependency cooldowns

   TL;DR: Dependency cooldowns are a free, easy, and incredibly effective way to mitigate the large majority of open source supply chain attacks. More individual projects should apply cooldowns (via tools like Dependabot and Renovate) to their dependencies, and packaging ecosystems should invest in first…

   Published Fri, Nov 21, 2025

2. Dear GitHub: no YAML anchors, please

   TL;DR: for a very long time, GitHub Actions lacked support for YAML anchors.

   Published Mon, Sep 22, 2025

3. One year of zizmor

   This is a dual purpose post: I’ve released zizmor v1.13.0, and zizmor has turned one year old1! It depends on how you count: zizmor’s first commit was roughly ↩

   Published Sun, Sep 14, 2025

4. Fun with finite state transducers

   I recently1 solved an interesting problem inside zizmor with a type of state machine/automaton I hadn’t used before: a finite state transducer (FST). A few months ago. ↩

   Published Thu, Aug 14, 2025

5. A new adventure

   This is a personal announcement post: after 7 years at Trail of Bits, I’m leaving to do something new. Specifically, I’ll be joining Astral to help them build the next generation of Python developer tooling.

   Published Tue, Jun 17, 2025

6. Bypassing GitHub Actions policies in the dumbest way possible

   TL;DR: GitHub Actions provides a policy mechanism for limiting the kinds of actions and reusable workflows that can be used within a repository, organization, or entire enterprise. Unfortunately, this mechanism is trivial to bypass. GitHub has told me that they don’t consider this a security issue (I…

   Published Wed, Jun 11, 2025

7. A Discord server and new GitHub organization for zizmor

   TL;DR: zizmor now has a Discord server and a new GitHub organization (@zizmorcore). Feel free to join the Discord server, and be on the lookout for an official transition of @woodruffw/zizmor to the new organization in the coming weeks!

   Published Wed, May 7, 2025

8. Be aware of the Makefile effect

   Update 2024-01-12: Ken Shirriff has an an excellent blog post on why “cargo cult” is a poor term of art.

   Published Fri, Jan 10, 2025

9. zizmor 1.0

   Happy New Year!

   Published Thu, Jan 2, 2025

10. zizmor would have caught the Ultralytics workflow vulnerability

    TL;DR: zizmor would have caught the vulnerability that caused this…mostly. Read on for details.

    Published Fri, Dec 6, 2024