feat(zizmor): Add Zizmor GitHub Action (#280)

bkochendorfer · jbuck · web-flow · commit 3e1ea287615b · 2025-04-01T09:02:43.000-05:00
* feat(zizmor): Add Zizmor GitHub Action Zizmor is a Static Analysis tool for GitHub Actions https://woodruffw.github.io/zizmor/usage/#use-in-github-actions * Update .github/workflows/zizmor.yaml Co-authored-by: Jon Buckley <jon@jbuckley.ca> --------- Co-authored-by: Jon Buckley <jon@jbuckley.ca>
diff --git a/.github/actions/action.yml b/.github/actions/action.yml
@@ -74,8 +74,11 @@ runs:
       shell: bash
       run: |
         mkdir output
-        echo '${{ steps.prev-version.outputs.result }}' > output/previous-version.txt
-        echo '${{ steps.new-version.outputs.result }}' > output/new-version.txt
+        echo '${PREV_VERSION}' > output/previous-version.txt
+        echo '${NEW_VERSION}' > output/new-version.txt
+      env:
+        PREV_VERSION: "${{ steps.prev-version.outputs.result }}"
+        NEW_VERSIION: "${{ steps.new-version.outputs.result }}"
     - name: Upload version artifacts
       uses: actions/upload-artifact@v4
       with:
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -4,6 +4,8 @@ on:
 - push
 - pull_request
 
+permissions: {}
+
 jobs:
   matrixify:
     name: Matrixify
@@ -18,7 +20,9 @@ jobs:
       with:
         ignore_dir: "**/example**"
     - name: Outputs
-      run: echo "${{ steps.search.outputs.matrix }}"
+      run: echo "${OUTPUTS_MATRIX}"
+      env:
+        OUTPUTS_MATRIX: ${{ steps.search.outputs.matrix }}
 
   terraform-ci:
     name: Terraform CI on "${{ matrix.directory }}"
diff --git a/.github/workflows/monorepo.yml b/.github/workflows/monorepo.yml
@@ -31,6 +31,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
         # I'm getting the labels from the API and not the context("contains(github.event.pull_request.labels.*.name, 'Env Promote')") as the labels
         # are added in 2nd API call so they aren't included in the PR context
+          persist-credentials: false
       - name: Check PR labels for semver
         id: check_pr_label
         env:
@@ -147,6 +148,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         ref: main # Only use composite action from main to prevent malicious PRs
+        persist-credentials: false
       # Do the per-module steps in a composite action because matrixes can't handle dynamic outputs
     - name: Generate docs and version bump
       uses: mozilla/terraform-modules/.github/actions@main
diff --git a/.github/workflows/zizmor.yaml b/.github/workflows/zizmor.yaml
@@ -0,0 +1,29 @@
+# https://github.com/woodruffw/zizmor
+name: GitHub Actions Security Analysis with Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["*"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone Repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - run: python -m pip install zizmor
+        shell: bash
+      - name: Run zizmor
+        run: zizmor .
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -22,3 +22,9 @@ repos:
       - id: terraform_fmt
         exclude: \.terraform\/.*$
       - id: terraform_docs
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    # Zizmor version.
+    rev: v1.5.2
+    hooks:
+      # Run the linter.
+      - id: zizmor
