enh: zizmor for gha analysis [#patch]

.github/workflows/docker-build-and-push.yml

@@ -51,15 +51,13 @@ on:
       registry-password:
         required: true
 
-permissions:
-  id-token: write
-  packages: write
-  contents: read
-  attestations: write
-  security-events: write
-
 jobs:
   build-and-push-image:
+    permissions:
+      packages: write
+      contents: read
+      attestations: write
+      security-events: write
     name: Docker build and push
     runs-on: ${{ inputs.runs-on }}
     steps:
@@ -83,9 +81,14 @@ jobs:
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf
         # v3.2.0
       - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349
+        with:
+          cache-binary: false
         # v3.7.1
       - name: Log in to the Container registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567

.github/workflows/gitleaks.yml

@@ -31,6 +31,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: gitleaks
         uses: gitleaks/gitleaks-action@83373cf2f8c4db6e24b41c1a9b086bb9619e9cd3
         # v2.3.7

.github/workflows/go-ci.yml

@@ -44,6 +44,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         # v5.1.0
         with:
@@ -82,6 +83,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         # v5.1.0

.github/workflows/go-security-scan.yml

@@ -41,6 +41,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Run Gosec Security Scanner
         # kics-scan ignore-line
         uses: securego/gosec@master

.github/workflows/infra-security-scan.yml

@@ -24,6 +24,8 @@ jobs:
   infra-security-scan:
     name: Scan with Kics
     runs-on: ${{ inputs.runs-on }}
+    permissions:
+      security-events: write
     defaults:
       run:
         working-directory: ${{ inputs.working-directory }}
@@ -45,12 +47,13 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Kics Scan
         uses: Checkmarx/kics-github-action@94469746ec2c43de89a42fb9d2a80070f5d25b16
         # v2.1.3
         with:
           path: .
-          output_path: ${{ inputs.working-directory }}/results.sarif
+          output_path: ${{ inputs.working-directory }}/kics_results.sarif
           output_formats: sarif
           fail_on: high,medium
           token: ${{ github.token }}
@@ -62,7 +65,43 @@ jobs:
         uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0
         # v2.19.0
         with:
-          sarif_file: ${{ inputs.working-directory }}/results.sarif
+          sarif_file: ${{ inputs.working-directory }}/kics_results.sarif
+
+  zizmor:
+    name: zizmor GitHub Actions Security Analysis
+    runs-on: ${{ inputs.runs-on }}
+    permissions:
+      security-events: write
+    steps:
+      - uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f
+        # v2.10.2
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@887a942a15af3a7626099df99e897a18d9e5ab3a
+        # v5.1.0
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > zizmor_results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@5618c9fc1e675841ca52c1c6b1304f5255a905a0
+        # v2.19.0
+        with:
+          sarif_file: zizmor_results.sarif
+          category: zizmor
 
   checkmake:
     name: Check Makefile
@@ -88,6 +127,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed
         # v5.1.0
         with:
@@ -104,8 +144,10 @@ jobs:
         continue-on-error: true
         run: |
           go install github.com/mrtazz/checkmake/cmd/checkmake@latest
-          CHECKMAKE_OUTPUT=$(checkmake ${{ steps.find-files.outputs.FILES }} --debug)
+          CHECKMAKE_OUTPUT=$(checkmake "$FILES" --debug)
           echo "CHECKMAKE_OUTPUT=$CHECKMAKE_OUTPUT" >> $GITHUB_OUTPUT
+        env:
+          FILES: ${{ steps.find-files.outputs.FILES }}
         shell: bash
       - name: PR comment with file
         if: github.event_name == 'pull_request' && steps.scan-files.outputs.CHECKMAKE_OUTPUT != ''

.github/workflows/local-auto-tagger.yml

@@ -26,6 +26,9 @@ jobs:
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
         # v4.2.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - name: Get changed files for each workflow and action
         id: changed-files
         uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366

.github/workflows/python-ci.yml

@@ -44,6 +44,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
         # v5.2.1
         with:

.github/workflows/rust-ci.yml

@@ -54,6 +54,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Cargo cache
         uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
         # v2.7.5
@@ -84,6 +85,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Cargo cache
         uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
         # v2.7.5
@@ -118,6 +120,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Cargo cache
         uses: swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
         # v2.7.5
@@ -169,6 +172,7 @@ jobs:
         # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
         # v4.0.2
         with: