ci, action: address zizmor findings

Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <[email protected]>
Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

.github/workflows/build-and-push-docker-image.yml

@@ -13,6 +13,8 @@ on:   # yamllint disable-line rule:truthy
         required: true
         type: string
 
+permissions: {}
+
 jobs:
   smoke-test:
     uses: ./.github/workflows/reusable-smoke-test.yml
@@ -34,13 +36,17 @@ jobs:
         jobs: ${{ toJSON(needs) }}
 
   build-and-push:
+    permissions:
+      packages: write
     if: github.event_name != 'pull_request'
     runs-on: ubuntu-latest
     needs:
     - check
     timeout-minutes: 10
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Build Docker image
       run: |
         DOCKER_TAG="${DOCKER_TAG/'/'/'-'}"

.github/workflows/reusable-smoke-test.yml

@@ -54,6 +54,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         path: test
+        persist-credentials: false
     - name: Fail-fast in unsupported environments
       continue-on-error: true
       id: fail-fast
@@ -89,6 +90,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         path: test
+        persist-credentials: false
     - name: Install the packaging-related tools
       run: python3 -m pip install build twine
       env:

.github/workflows/zizmor.yml

@@ -0,0 +1,19 @@
+---
+
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:  # yamllint disable-line rule:truthy
+  push:
+  pull_request:
+
+jobs:
+  zizmor:
+    name: 🌈 zizmor
+
+    permissions:
+      security-events: write
+
+    # yamllint disable-line rule:line-length
+    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@1ae473d8672fe7613e809d86d202a35063736e16
+
+...

.github/zizmor.yml

@@ -0,0 +1,8 @@
+---
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: ref-pin
+        github/*: ref-pin
+        re-actors/*: ref-pin

action.yml

@@ -100,7 +100,7 @@ runs:
       exit 1
     shell: bash -eEuo pipefail {0}
   - name: Reset path if needed
-    run: |
+    run: | # zizmor: ignore[github-env] PATH is not user-controlled
       # Reset path if needed
       # https://github.com/pypa/gh-action-pypi-publish/issues/112
       if [[ $PATH != *"/usr/bin"* ]]; then
@@ -111,25 +111,6 @@ runs:
         echo "\$PATH reset. \$PATH=$PATH"
       fi
     shell: bash
-  - name: Set repo and ref from which to run Docker container action
-    id: set-repo-and-ref
-    run: |
-      # Set repo and ref from which to run Docker container action
-      # to handle cases in which `github.action_` context is not set
-      # https://github.com/actions/runner/issues/2473
-      REF=${{ env.ACTION_REF || env.PR_REF || github.ref_name }}
-      REPO=${{ env.ACTION_REPO || env.PR_REPO || github.repository }}
-      REPO_ID=${{ env.PR_REPO_ID || github.repository_id }}
-      echo "ref=$REF" >>"$GITHUB_OUTPUT"
-      echo "repo=$REPO" >>"$GITHUB_OUTPUT"
-      echo "repo-id=$REPO_ID" >>"$GITHUB_OUTPUT"
-    shell: bash
-    env:
-      ACTION_REF: ${{ github.action_ref }}
-      ACTION_REPO: ${{ github.action_repository }}
-      PR_REF: ${{ github.event.pull_request.head.ref }}
-      PR_REPO: ${{ github.event.pull_request.head.repo.full_name }}
-      PR_REPO_ID: ${{ github.event.pull_request.base.repo.id }}
   - name: Discover pre-installed Python
     id: pre-installed-python
     run: |
@@ -151,9 +132,26 @@ runs:
         || steps.pre-installed-python.outputs.python-path
       }} '${{ github.action_path }}/create-docker-action.py'
     env:
-      REF: ${{ steps.set-repo-and-ref.outputs.ref }}
-      REPO: ${{ steps.set-repo-and-ref.outputs.repo }}
-      REPO_ID: ${{ steps.set-repo-and-ref.outputs.repo-id }}
+      # Set repo and ref from which to run Docker container action
+      # to handle cases in which `github.action_` context is not set
+      # https://github.com/actions/runner/issues/2473
+      REF: >-
+        ${{
+          github.action_ref
+          || github.event.pull_request.head.ref
+          || github.ref_name
+        }}
+      REPO: >-
+        ${{
+          github.action_repository
+          || github.event.pull_request.head.repo.full_name
+          || github.repository
+        }}
+      REPO_ID: >-
+        ${{
+          github.event.pull_request.base.repo.id
+          || github.repository_id
+        }}
     shell: bash
   - name: Run Docker container
     # The generated trampoline action must exist in the allowlisted