chore: add zizmor workflow to harden GitHub Actions security (#968)

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Co-authored-by: cyclonedx-releases[bot] <275040549+cyclonedx-releases[bot]@users.noreply.github.com>

Author: 3 people

.github/dependabot.yml

@@ -7,6 +7,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     allow:
       - dependency-type: 'all'
     versioning-strategy: 'auto'
@@ -21,6 +23,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       ## prefix maximum string length of 15

.github/workflows/python.yml

@@ -34,6 +34,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -58,6 +60,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -82,6 +86,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -106,6 +112,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -142,6 +150,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -192,6 +202,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Create reports directory
         run: mkdir ${{ env.REPORTS_DIR }}
       - name: Setup Python Environment
@@ -270,6 +282,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6

.github/workflows/release.yml

@@ -49,6 +49,8 @@ jobs:
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -71,6 +73,8 @@ jobs:
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -106,25 +110,27 @@ jobs:
       - name: Generate GitHub App Token
         id: release-bot-token
         # see https://github.com/actions/create-github-app-token
-        uses: actions/create-github-app-token@v3
+        uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3
         with:
           # see https://github.com/organizations/CycloneDX/settings/apps/cyclonedx-releases
-          app-id: 3335294
+          client-id: 3335294
           private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }}
+          # for `permission-*` see `permissions` above
+          permission-contents: write
       - name: Get GitHub App User ID
         id: release-bot-user-id
-        run: |
-          set -xeu
-          echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
+          APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }}
           GH_TOKEN: ${{ steps.release-bot-token.outputs.token }}
+        run: echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
 
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
           token: ${{ steps.release-bot-token.outputs.token }}
+          persist-credentials: false
 
       - name: Setup python
         # see https://github.com/actions/setup-python

.github/workflows/zizmor.yml

@@ -0,0 +1,45 @@
+# Analyzes all GitHub Actions workflows for security issues using zizmor.
+# docs: https://docs.zizmor.sh/
+name: Workflow Security Analysis (zizmor)
+
+on:
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+  push:
+    paths:
+      - ".github/workflows/**"
+  schedule:
+    # Every Saturday at 00:00 UTC
+    - cron: "0 0 * * 6"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        # see https://github.com/zizmorcore/zizmor-action
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than
+          # uploading a SARIF report to GitHub's Security tab.
+          # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS),
+          # both of which are unnecessary here and would violate the least-privilege policy.
+          # The two modes are mutually exclusive: advanced-security must be false for
+          # annotations to take effect.
+          advanced-security: false
+          annotations: true

.pre-commit-config.yaml

@@ -42,3 +42,7 @@ repos:
         entry: poetry run -- tox r -e bandit
         pass_filenames: false
         language: system
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.24.1
+    hooks:
+      - id: zizmor

pyproject.toml

@@ -146,15 +146,15 @@ exclude_commit_patterns = [
 match = "(main|master)"
 prerelease = false
 
-[tool.semantic_release.branches."step"]
-match = "(build|chore|ci|docs|feat|fix|perf|style|refactor|tests?)"
-prerelease = true
-prerelease_token = "alpha"
-
 [tool.semantic_release.branches."major-dev"]
 match = "(\\d+\\.0\\.0-(dev|rc)|dev/\\d+\\.0\\.0)"
 prerelease = true
 prerelease_token = "rc"
 
+[tool.semantic_release.branches.fallback]
+match = ".*"
+prerelease = true
+prerelease_token = "alpha"
+
 [tool.deptry]
 extend_exclude = ["docs", "examples", "package_aliases", "tools"]