{"id":42551692,"url":"https://github.com/step-security/setup-zig","last_synced_at":"2026-02-24T06:56:22.751Z","repository":{"id":264684658,"uuid":"894081897","full_name":"step-security/setup-zig","owner":"step-security","description":"Install a Zig compiler for usage in GitHub Actions workflows. Secure drop-in replacement for mlugg/setup-zig.","archived":false,"fork":false,"pushed_at":"2026-01-26T00:08:58.000Z","size":20726,"stargazers_count":1,"open_issues_count":14,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-26T15:28:18.791Z","etag":null,"topics":["step-security-maintained-actions"],"latest_commit_sha":null,"homepage":"https://docs.stepsecurity.io/actions/stepsecurity-maintained-actions","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/step-security.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-11-25T18:07:45.000Z","updated_at":"2026-01-22T03:37:14.000Z","dependencies_parsed_at":"2024-11-25T19:26:17.721Z","dependency_job_id":"dcbb5ea3-7ecb-4abb-8635-c0846dff553c","html_url":"https://github.com/step-security/setup-zig","commit_stats":null,"previous_names":["step-security/setup-zig"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/step-security/setup-zig","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsetup-zig","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsetup-zig/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsetup-zig/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsetup-zig/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/step-security","download_url":"https://codeload.github.com/step-security/setup-zig/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/step-security%2Fsetup-zig/sbom","scorecard":{"id":1237656,"data":{"date":"2025-09-09T07:25:59Z","repo":{"name":"github.com/step-security/setup-zig","commit":"96ca74e72d2a36d6104234c6e4f07a6d03bdde93"},"scorecard":{"version":"v5.0.0-rc2","commit":"7ce8609469289d5f3b1bf5ee3122f42b4e3054fb"},"score":8,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Warn: codeowners review is required - but no codeowners file found in repo","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":7,"reason":"7 out of 9 merged PRs checked by a CI test -- score normalized to 7","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#code-review"}},{"name":"Contributors","score":0,"reason":"project has 0 contributing companies or organizations -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#license"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#maintained"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:   9 out of   9 GitHub-owned GitHubAction dependencies pinned","Info:   4 out of   4 third-party GitHubAction dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":9,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 28 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#sast"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":10,"reason":"5 out of the last 5 releases have a total of 5 signed artifacts.","details":["Info: provenance for release artifact: multiple.intoto.jsonl: https://api.github.com/repos/step-security/setup-zig/releases/assets/279122099","Info: provenance for release artifact: multiple.intoto.jsonl: https://api.github.com/repos/step-security/setup-zig/releases/assets/273662733","Info: provenance for release artifact: multiple.intoto.jsonl: https://api.github.com/repos/step-security/setup-zig/releases/assets/261138146","Info: provenance for release artifact: multiple.intoto.jsonl: https://api.github.com/repos/step-security/setup-zig/releases/assets/256589249","Info: provenance for release artifact: multiple.intoto.jsonl: https://api.github.com/repos/step-security/setup-zig/releases/assets/233269462"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'actions' permission set to 'read': .github/workflows/actions_release.yml:16","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/actions_release.yml:18","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:31","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:32","Info: jobLevel 'issues' permission set to 'read': .github/workflows/scorecards.yml:32","Info: jobLevel 'pull-requests' permission set to 'read': .github/workflows/scorecards.yml:33","Info: jobLevel 'checks' permission set to 'read': .github/workflows/scorecards.yml:35","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:29","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:30","Info: topLevel 'contents' permission set to 'read': .github/workflows/actions_release.yml:11","Warn: topLevel 'contents' permission set to 'write': .github/workflows/audit_package.yml:24","Info: topLevel 'packages' permission set to 'read': .github/workflows/audit_package.yml:26","Warn: topLevel 'contents' permission set to 'write': .github/workflows/auto_cherry_pick.yml:19","Info: topLevel 'packages' permission set to 'read': .github/workflows/auto_cherry_pick.yml:21","Info: topLevel 'packages' permission set to 'read': .github/workflows/claude_review.yml:16","Warn: topLevel 'contents' permission set to 'write': .github/workflows/claude_review.yml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:24","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/guarddog.yml:10","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/7ce8609469289d5f3b1bf5ee3122f42b4e3054fb/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-09-15T02:29:45.412Z","repository_id":264684658,"created_at":"2025-09-15T02:29:45.412Z","updated_at":"2025-09-15T02:29:45.412Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28849608,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-28T15:15:36.453Z","status":"ssl_error","status_checked_at":"2026-01-28T15:15:13.020Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["step-security-maintained-actions"],"created_at":"2026-01-28T19:13:51.666Z","updated_at":"2026-01-28T19:13:52.575Z","avatar_url":"https://github.com/step-security.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# setup-zig\n\nInstall the Zig compiler for use in an Actions workflow, and preserve the Zig cache across workflow runs.\n\n## Usage\n\n```yaml\njobs:\n  test:\n    runs-on: ubuntu-latest\n    name: Build and Test\n    steps:\n      - uses: actions/checkout@v3\n      - uses: step-security/setup-zig@v2\n      - run: zig build test\n```\n\nThis will automatically download Zig and install it to `PATH`.\n\nYou can use `version` to set a Zig version to download. This may be a release (`0.13.0`), a specific nightly\nbuild (`0.14.0-dev.2+0884a4341`), the string `master` for the latest nightly build, or the string `latest`\nfor the latest full release. It can also refer to a [Mach nominated version][mach-nominated], such as\n`2024.5.0-mach`. Finally, leaving the value empty (the default) will cause the action to attempt to resolve\nthe Zig version from the `minimum_zig_version` field in `build.zig.zon`, falling back to `latest` if that\nisn't possible.\n\n```yaml\n  - uses: step-security/setup-zig@v2\n    with:\n      version: 0.13.0\n```\n\n\u003e [!WARNING]\n\u003e Mirrors, including the official Zig website, may purge old nightly builds at their leisure. This means\n\u003e that if you target an out-of-date nightly build, such as a `0.11.0-dev` build, the download may fail.\n\nIf you want to use one specific mirror, you can set it using the `mirror` option:\n\n```yaml\n  - uses: step-security/setup-zig@v2\n    with:\n      mirror: 'https://pkg.machengine.org/zig'\n```\n\nPlease don't do this unnecessarily; it's not nice to hammer one mirror. This mirror is not permitted to\nbe https://ziglang.org/download to avoid the official website being hit with large amounts of requests.\nIf you've experienced issues with a default mirror, please [open an issue][report-bad-mirror] on the Zig\nwebsite repository, which is where the list of mirrors is maintained.\n\nIf necessary, the caching of the global and local Zig cache directories can be disabled by setting the option\n`use-cache: false`. Don't do this without reason: preserving the Zig cache will typically speed things up\nand decrease the load on GitHub's runners.\n\nIf you are using a [matrix strategy][matrix] for your workflow, you may need to populate the `cache-key` option\nwith all of your matrix variables to ensure that every job is correctly cached. Unfortunately, GitHub does not\nprovide any means for the Action to automatically distinguish jobs in a matrix. However, variables which select\nthe runner OS can be omitted from the `cache-key`, since the runner OS is included in the cache key by default.\n\nZig cache directories can get incredibly large over time. By default, this Action will clear the cache directory\nonce its size exceeds 2 GiB. This threshold can be changed by setting the `cache-size-limit` option to a different\nvalue (in MiB); for instance, `cache-size-limit: 4096` for a 4 GiB limit. The limit can be disabled entirely by\nsetting `cache-size-limit: 0`.\n\n[mach-nominated]: https://machengine.org/about/nominated-zig/\n[matrix]: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/running-variations-of-jobs-in-a-workflow\n[report-bad-mirror]: https://github.com/ziglang/www.ziglang.org/issues/new\n\n## Details\n\nThis action attempts to download the requested Zig tarball from a set of mirrors, in a random order. As\na last resort, the official Zig website is used. The tarball's minisign signature is also downloaded and\nverified to ensure binaries have not been tampered with. The tarball is cached between runs and workflows.\n\nThe global Zig cache directory (`~/.cache/zig` on Linux) is automatically cached between runs, and all\nlocal caches are redirected to the global cache directory to make optimal use of this cross-run caching.\n\n## Adding a mirror\n\nThe list of tarball mirrors is not in this repository; rather, the [community mirror list][mirrors] from\nziglang.org is used. If you are interested in hosting a mirror of your own, check out the\n[documentation][host-mirror] on the Zig website repository. That way, your mirror can benefit not just\nsetup-zig, but also any other tooling which wants to fetch Zig!\n\n[mirrors]: https://ziglang.org/download/community-mirrors/\n[host-mirror]: https://github.com/ziglang/www.ziglang.org/blob/main/MIRRORS.md\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fsetup-zig","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstep-security%2Fsetup-zig","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstep-security%2Fsetup-zig/lists"}