The Wire · Showcase
ELIXIR TOOLCHAIN GETS QUIET MAINTENANCE ACROSS CI/CD
By RepoJournal · Filed · About Elixir & Phoenix
Three routine dependency bumps landed in Elixir core overnight, touching your security scanning, code signing, and security analysis pipeline.
The Elixir team updated zizmor-action to 0.5.6 [1], bringing zizmor itself to version 1.25.2 as the default for supply chain security scanning in CI workflows. Separately, CodeQL Action bumped to 4.35.5 [2] with a significant optimization: the JavaScript bundles now shed around 70% repository bloat through better generation logic, which means faster action checkout times in your workflows. The bigger move came with Azure's trusted-signing-action jumping to 2.0.0 [3], a major version bump that migrates to the new artifactsigning module. None of these changes break existing workflows, but the major version bump on Azure's action warrants a quick check if you're signing release artifacts in CI.
Action items
- → Review Azure trusted-signing-action 2.0.0 migration guide if you sign releases in CI elixir-lang/elixir [plan]
- → Verify zizmor 1.25.2 catches what your team needs on next build elixir-lang/elixir [monitor]
References
- [1] Bump zizmorcore/zizmor-action from 0.5.3 to 0.5.6 ↗ elixir-lang/elixir
- [2] Bump github/codeql-action from 4.35.4 to 4.35.5 ↗ elixir-lang/elixir
- [3] Bump azure/trusted-signing-action from 1.2.0 to 2.0.0 ↗ elixir-lang/elixir
FAQ
- What changed in Elixir & Phoenix on May 29, 2026?
- Three routine dependency bumps landed in Elixir core overnight, touching your security scanning, code signing, and security analysis pipeline.
- What should Elixir & Phoenix teams do about it?
- Review Azure trusted-signing-action 2.0.0 migration guide if you sign releases in CI • Verify zizmor 1.25.2 catches what your team needs on next build
- Which Elixir & Phoenix repositories shipped on May 29, 2026?
- elixir-lang/elixir