ci: add zizmor for github action security (#284)

.github/renovate.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["github>Boshen/renovate"],
+  "extends": ["github>Boshen/renovate", "helpers:pinGitHubActionDigests"],
   "packageRules": [
     {
       "groupName": "npm packages",

.github/workflows/build.yml

@@ -12,7 +12,10 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 

.github/workflows/bump_oxlint.yml

@@ -14,14 +14,18 @@ jobs:
   bump:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false # should be fine, we give another token for PR creation
 
       - uses: ./.github/actions/pnpm
 
       - name: Generate version ${{ inputs.version }}
+        env:
+          OXLINT_VERSION: ${{ inputs.version }}
         run: |
-          pnpm install oxlint@${{ inputs.version }}
-          pnpm run clone ${{ inputs.version }}
+          pnpm install oxlint@${OXLINT_VERSION}
+          pnpm run clone ${OXLINT_VERSION}
           pnpm run generate # Generate rules from source code
           pnpm run format # run prettier over it
 
@@ -30,7 +34,9 @@ jobs:
         run: pnpm run test -u # Update test snapshots
 
       - name: Bump oxlint rules
-        run: npm version ${{ inputs.version }} --no-git-tag-version
+        env:
+          OXLINT_VERSION: ${{ inputs.version }}
+        run: npm version ${OXLINT_VERSION} --no-git-tag-version
 
       - uses: peter-evans/create-pull-request@v7
         with:

.github/workflows/ci_security.yml

@@ -0,0 +1,41 @@
+name: GitHub Actions Security Analysis
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - '.github/workflows/**'
+  push:
+    branches:
+      - main
+      - 'renovate/**'
+    paths:
+      - '.github/workflows/**'
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+
+      - uses: taiki-e/install-action@8c39981484df4e7ba41af8e8e078ac546d5e1b11 # v2.46.8
+        with:
+          tool: zizmor
+
+      - name: Run zizmor
+        run: zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.github/workflows/format.yml

@@ -12,7 +12,10 @@ jobs:
   format:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - name: Run Format (prettier)
         run: npx prettier . --check

.github/workflows/generate.yml

@@ -21,7 +21,10 @@ jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 

.github/workflows/lint.yml

@@ -12,7 +12,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 

.github/workflows/release.yml

@@ -12,24 +12,27 @@ jobs:
       contents: write
       id-token: write # for `npm publish --provenance`
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 
       - name: Build
         run: pnpm run build
 
       - name: Extract version from commit message
+        env:
+          COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
         run: |
-          VERSION=$(echo "${{ github.event.head_commit.message }}" | grep -oP 'release: \Kv[0-9]+\.[0-9]+\.[0-9]+')
+          VERSION=$(echo "${COMMIT_MESSAGE}" | grep -oP 'release: \Kv[0-9]+\.[0-9]+\.[0-9]+')
           echo "VERSION=$VERSION" >> $GITHUB_ENV
 
       - name: Create and push tag
         run: |
-          git tag ${{ env.VERSION }}
-          git push origin ${{ env.VERSION }}
+          git tag ${VERSION}
+          git push origin ${VERSION}
 
       - run: npx changelogithub
         continue-on-error: true

.github/workflows/test.yml

@@ -12,7 +12,10 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm
 

.github/workflows/type-check.yml

@@ -12,7 +12,10 @@ jobs:
   type-check:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/pnpm