feat: add zizmor (#6957)

Support linting GitHub Actions files with Zizmor

Close #6740

Author: ferrarimarco

.github/dependabot.yml

@@ -97,6 +97,7 @@ updates:
         # We can group all Docker dependencies because they are isolated from
         # each other
         patterns:
+          - aquasecurity/trivy
           - alpine/helm
           - alpine/terragrunt
           - dotenvlinter/dotenv-linter
@@ -157,6 +158,7 @@ updates:
           - snakemake
           - sqlfluff
           - yamllint
+          - zizmor
 
   - package-ecosystem: "gradle"
     commit-message:

.github/linters/.jscpd.json

@@ -14,6 +14,8 @@
     "**/test/linters/dotnet_sln_format_analyzers",
     "**/test/linters/dotnet_sln_format_style",
     "**/test/linters/dotnet_sln_format_whitespace",
+    "**/test/linters/github_actions",
+    "**/test/linters/github_actions_zizmor",
     "**/test/linters/go_modules",
     "**/test/linters/html",
     "**/test/linters/javascript_es",

.github/linters/zizmor.yaml

@@ -0,0 +1,10 @@
+---
+rules:
+  unpinned-uses:
+    ignore:
+      - ci.yml
+      - cd.yml
+      - dependabot-automation.yaml
+      - lint-commit.yaml
+      - stale.yaml
+      - thank_contributors.yaml

.github/workflows/cd.yml

@@ -38,6 +38,8 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -115,6 +117,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set build metadata
         run: |
@@ -276,7 +279,7 @@ jobs:
         if: steps.release.outputs.release_created
         # shellcheck disable=SC2062
         run: |
-          RELEASE_VERSION="${{ steps.release.outputs.tag_name }}"
+          RELEASE_VERSION="${STEPS_RELEASE_OUTPUTS_TAG_NAME}"
 
           if [ -z "${RELEASE_VERSION}" ]; then
             echo "Error RELEASE_VERSION is empty. Exiting..."
@@ -288,12 +291,15 @@ jobs:
             exit 2
           fi
 
-          SEMVER_MAJOR_VERSION=v${{ steps.release.outputs.major }}
+          SEMVER_MAJOR_VERSION=v${STEPS_RELEASE_OUTPUTS_MAJOR}
 
           {
             echo "RELEASE_VERSION=${RELEASE_VERSION}"
             echo "SEMVER_MAJOR_VERSION=${SEMVER_MAJOR_VERSION}"
           } >> "${GITHUB_ENV}"
+        env:
+          STEPS_RELEASE_OUTPUTS_TAG_NAME: ${{ steps.release.outputs.tag_name }}
+          STEPS_RELEASE_OUTPUTS_MAJOR: ${{ steps.release.outputs.major }}
 
       - name: Login to GHCR
         if: steps.release.outputs.release_created
@@ -326,6 +332,8 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          # Persist credentials because we update Git tags
+          persist-credentials: true
 
       # No need to tag major.minor.patch because that tag is automatically created when creating the release
       - name: Tag major, minor, and latest versions
@@ -334,10 +342,10 @@ jobs:
           git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
           git config user.name "github-actions[bot]"
 
-          git tag --annotate --force ${{ env.SEMVER_MAJOR_VERSION }} -m "Release ${{ env.SEMVER_MAJOR_VERSION }}"
-          git tag --annotate --force latest -m "Release latest (${{ env.RELEASE_VERSION }})"
+          git tag --annotate --force "${SEMVER_MAJOR_VERSION}" -m "Release ${SEMVER_MAJOR_VERSION}"
+          git tag --annotate --force latest -m "Release latest (${RELEASE_VERSION})"
 
-          git push --force origin ${{ env.SEMVER_MAJOR_VERSION }}
+          git push --force origin "${SEMVER_MAJOR_VERSION}"
           git push --force origin latest
 
       - name: Create Issue on Failure

.github/workflows/ci.yml

@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set build metadata
         id: set-container-image-build-metadata
@@ -102,6 +103,8 @@ jobs:
     steps:
       - name: Checkout Code
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -158,6 +161,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Free Disk space
         shell: bash
@@ -202,7 +206,7 @@ jobs:
       # Ref: https://github.com/moby/buildkit/issues/1555
       - name: Load image
         run: |
-          docker load <"/tmp/${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }}.tar"
+          docker load <"/tmp/${CONTAINER_IMAGE_OUTPUT_IMAGE_NAME}.tar"
 
       - name: Print environment info
         run: |
@@ -238,6 +242,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Download ${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }} container image
         uses: actions/[email protected]
@@ -247,7 +252,7 @@ jobs:
 
       - name: Load ${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }} container image
         run: |
-          docker load --input /tmp/${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }}.tar
+          docker load --input "/tmp/${CONTAINER_IMAGE_OUTPUT_IMAGE_NAME}.tar"
           docker image ls -a
 
       - name: Update action.yml
@@ -293,6 +298,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Generate test cases matrix
         id: generate-matrix
         run: |
@@ -338,6 +344,7 @@ jobs:
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Download ${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }} container image
         uses: actions/[email protected]
@@ -347,15 +354,16 @@ jobs:
 
       - name: Load ${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }} container image
         run: |
-          docker load --input /tmp/${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }}.tar
+          docker load --input "/tmp/${CONTAINER_IMAGE_OUTPUT_IMAGE_NAME}.tar"
           docker image ls -a
 
       - name: "Test case: ${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }} - ${{ matrix.test-case }}"
         run: |
-          echo "Running: ${{ env.CONTAINER_IMAGE_OUTPUT_IMAGE_NAME }} - ${{ matrix.test-case }}"
-          make ${{ matrix.test-case }}
+          echo "Running: ${CONTAINER_IMAGE_OUTPUT_IMAGE_NAME} - ${MATRIX_TEST_CASE}"
+          make "${MATRIX_TEST_CASE}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MATRIX_TEST_CASE: ${{ matrix.test-case }}
 
   # The purpose of this job is to run only when the run-test-suite job runs to completion.
   # We can use this job as a required status check in a branch protection rule without
@@ -386,6 +394,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup authentication token
         run: |

.github/workflows/dependabot-automation.yaml

@@ -17,7 +17,7 @@ jobs:
       PR_URL: ${{github.event.pull_request.html_url}}
       GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
     runs-on: ubuntu-latest
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
       - name: Fetch Dependabot metadata
         id: metadata

.github/workflows/lint-commit.yaml

@@ -18,6 +18,7 @@ jobs:
       - uses: actions/checkout@v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Check if the pull request contains a single commit
         if: github.event_name == 'pull_request'

Dockerfile

@@ -460,6 +460,7 @@ ENV PATH="${PATH}:/venvs/snakemake/bin"
 ENV PATH="${PATH}:/venvs/sqlfluff/bin"
 ENV PATH="${PATH}:/venvs/yamllint/bin"
 ENV PATH="${PATH}:/venvs/yq/bin"
+ENV PATH="${PATH}:/venvs/zizmor/bin"
 ENV PATH="${PATH}:/node_modules/.bin"
 ENV PATH="${PATH}:/usr/lib/go/bin"
 ENV PATH="${PATH}:${DART_SDK}/bin:/root/.pub-cache/bin"

Makefile

@@ -296,6 +296,7 @@ fix-codebase: ## Fix and format the entire codebase
 		-e DEFAULT_BRANCH=main \
 		-e ENABLE_GITHUB_ACTIONS_GROUP_TITLE=true \
 		-e FILTER_REGEX_EXCLUDE=".*(/test/linters/|CHANGELOG.md|/test/data/test-repository-contents/).*" \
+		-e FIX_GITHUB_ACTIONS_ZIZMOR=true \
 		-e FIX_ENV=true \
 		-e FIX_JAVASCRIPT_ES=true \
 		-e FIX_JAVASCRIPT_PRETTIER=true \