TIL: Packaging Static Binaries

I have been using the zizmor project for a while to lint GitHub Actions workflows for security issues. Zizmor is a (mostly) static binary written in Rust so it should be a relatively straightforward install. But I noticed that it can be installed via unexpected ways like by Python package.

Recently the company Astral has been building many Python tools in Rust, like uv and ruff, and creating many integrations between the two languages. Further integrations are made possible by PyO3 and maturin.

Maturin is a build backend for Python packages that supports Rust crates. It also has another feature that allows you to build a pure Rust binary and package it as a Python package.

pip install zizmor

This makes it really easy to install in places where you have Python already installed, and zizmor is easily added to the $PATH.. It occurred to me that you could do this with npm as well.