Pillow icon indicating copy to clipboard operation
Pillow copied to clipboard
verified publisher icon python-pillow

Do not use cmd shell in GitHub Actions

Open radarhere opened this issue 2 weeks ago • 0 comments

https://github.com/python-pillow/Pillow/pull/9318 upgraded zizmor to include https://docs.zizmor.sh/audits/#obfuscation

The CMD shell has no formal grammar, making it impossible to accurately analyze for security issues.

This PR allows for that by

  1. Changing test-windows.yml to avoid the cmd shell.
  2. Moving the cmd shell instructions from wheels.yml into a separate file, where they will not bother zizmor. It is not an ideal solution, but I suspect an ideal solution would involve changing winbuild to no longer generate cmd files, and that seems like a step too far. This will at least allow zizmor's rule to be in place, so that we can enforce it by default.

radarhere avatar Dec 05 '25 10:12 radarhere