Add five more cases of superfluous actions and recommend their replacements (#1937)

agriyakhetarpal · web-flow · commit 1a1bf156d838 · 2026-04-23T02:35:46.000Z
* Add two actions-ecosystem actions

* Suggest replacing `sergeysova/jq-action` with `jq`

* Add variants of "git commit"-like actions
diff --git a/crates/zizmor/src/audit/superfluous_actions.rs b/crates/zizmor/src/audit/superfluous_actions.rs
@@ -90,6 +90,18 @@ static SUPERFLUOUS_ACTIONS: LazyLock<Vec<(RepositoryUsesPattern, &str, Persona,
                 Persona::Regular,
                 Confidence::High,
             ),
+            (
+                "actions-ecosystem/action-add-labels".parse().unwrap(),
+                "use `gh issue edit --add-label` or `gh pr edit --add-label` in a script step",
+                Persona::Regular,
+                Confidence::High,
+            ),
+            (
+                "actions-ecosystem/action-remove-labels".parse().unwrap(),
+                "use `gh issue edit --remove-label` or `gh pr edit --remove-label` in a script step",
+                Persona::Regular,
+                Confidence::High,
+            ),
             (
                 "svenstaro/upload-release-action".parse().unwrap(),
                 "use `gh release create` and `gh release upload` in a script step",
@@ -102,6 +114,12 @@ static SUPERFLUOUS_ACTIONS: LazyLock<Vec<(RepositoryUsesPattern, &str, Persona,
                 Persona::Regular,
                 Confidence::High,
             ),
+            (
+                "sergeysova/jq-action".parse().unwrap(),
+                "use `jq` in a script step",
+                Persona::Regular,
+                Confidence::High,
+            ),
             (
                 "dtolnay/rust-toolchain".parse().unwrap(),
                 "use `rustup` and/or `cargo` in a script step",
@@ -112,6 +130,24 @@ static SUPERFLUOUS_ACTIONS: LazyLock<Vec<(RepositoryUsesPattern, &str, Persona,
                 Persona::Pedantic,
                 Confidence::Medium,
             ),
+            (
+                "stefanzweifel/git-auto-commit-action".parse().unwrap(),
+                "use `git add`, `git commit`, and `git push` in a script step",
+                // NOTE: Currently pedantic because replicating this action's
+                // full behaviour (empty commit detection, auth setup, etc.)
+                // requires multiple git commands and some care.
+                Persona::Pedantic,
+                Confidence::Low,
+            ),
+            (
+                "EndBug/add-and-commit".parse().unwrap(),
+                "use `git add`, `git commit`, and `git push` in a script step",
+                // NOTE: Currently pedantic because replicating this action's
+                // full behaviour (empty commit detection, auth setup, etc.)
+                // requires multiple git commands and some care.
+                Persona::Pedantic,
+                Confidence::Low,
+            ),
         ]
     });
 
diff --git a/docs/audits.md b/docs/audits.md
@@ -1605,9 +1605,14 @@ The following table lists some common superfluous actions and their recommended
 | @peter-evans/create-pull-request | `gh pr create` |
 | @peter-evans/create-or-update-comment | `gh pr comment` or `gh issue comment` |
 | @dacbd/create-issue-action | `gh issue create` |
+| @actions-ecosystem/action-add-labels | `gh issue edit --add-label` or `gh pr edit --add-label` |
+| @actions-ecosystem/action-remove-labels | `gh issue edit --remove-label` or `gh pr edit --remove-label` |
 | @svenstaro/upload-release-action | `gh release create` and `gh release upload` |
 | @addnab/docker-run-action | `docker run` |
+| @sergeysova/jq-action | `jq <...>` |
 | @dtolnay/rust-toolchain | `rustup` |
+| @stefanzweifel/git-auto-commit-action | `git add`, `git commit`, and `git push` |
+| @EndBug/add-and-commit | `git add`, `git commit`, and `git push` |
 
 !!! example
 
diff --git a/docs/release-notes.md b/docs/release-notes.md
@@ -27,6 +27,20 @@ of `zizmor`.
 
 ### Enhancements
 
+* Recommend `gh issue edit --add-label` / `gh pr edit --add-label` as a replacement for
+  @actions-ecosystem/action-add-labels in [superfluous-actions]
+
+* Recommend `gh issue edit --remove-label` / `gh pr edit --remove-label` as a replacement for
+  @actions-ecosystem/action-remove-labels in [superfluous-actions]
+
+* Recommend `jq` as a replacement for @sergeysova/jq-action in [superfluous-actions]
+
+* Recommend `git add`, `git commit`, and `git push` as a replacement for
+  @stefanzweifel/git-auto-commit-action in [superfluous-actions]
+
+* Recommend `git add`, `git commit`, and `git push` as a replacement for
+  @EndBug/add-and-commit in [superfluous-actions]
+
 * @tibdex/github-app-token is now recognized as an archived action by
   [archived-uses] (#1910)
 
