build: apply zizmor recommended fixes (#2764)

Author: nperez0111

.github/dependabot.yml

@@ -55,3 +55,5 @@ updates:
           - "react-dom"
           - "yjs"
           - "y-prosemirror"
+    cooldown:
+      default-days: 7

.github/workflows/build.yml

@@ -6,6 +6,9 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, edited]
 
+permissions:
+  contents: read
+
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
   NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN: ${{ secrets.NX_SELF_HOSTED_REMOTE_CACHE_ACCESS_TOKEN }}
@@ -18,23 +21,24 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 60
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 100
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
-      - uses: nrwl/nx-set-shas@v5
+      - uses: nrwl/nx-set-shas@afb73a62d26e41464e9254689e1fd6122ee683c1 # v5
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           cache: "pnpm"
           cache-dependency-path: "**/pnpm-lock.yaml"
           node-version-file: ".nvmrc"
 
       - name: Cache NX
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: .nx/cache
           key: nx-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}-${{ github.sha }}
@@ -59,7 +63,7 @@ jobs:
         run: NEXTJS_TEST_MODE=build npx vitest run tests/src/unit/nextjs/serverUtil.test.ts
 
       - name: Upload webpack stats artifact (editor)
-        uses: relative-ci/agent-upload-artifact-action@v2
+        uses: relative-ci/agent-upload-artifact-action@a2b5741b4f7e6a989c84ec1a3059696b23c152e5 # v2
         with:
           webpackStatsFile: ./playground/dist/webpack-stats.json
           artifactName: relative-ci-artifacts-editor
@@ -73,23 +77,24 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 30
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 100
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
-      - uses: nrwl/nx-set-shas@v5
+      - uses: nrwl/nx-set-shas@afb73a62d26e41464e9254689e1fd6122ee683c1 # v5
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           cache: "pnpm"
           cache-dependency-path: "**/pnpm-lock.yaml"
           node-version-file: ".nvmrc"
 
       - name: Cache NX
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: .nx/cache
           key: nx-playwright-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}-${{ github.sha }}
@@ -105,7 +110,7 @@ jobs:
         run: pnpm run build
 
       - name: Upload build artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: playwright-build
           path: |
@@ -127,21 +132,22 @@ jobs:
         shardIndex: [1, 2]
         shardTotal: [2]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 100
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           cache: "pnpm"
           cache-dependency-path: "**/pnpm-lock.yaml"
           node-version-file: ".nvmrc"
 
       - name: Download build artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: playwright-build
 
@@ -153,15 +159,15 @@ jobs:
           HOME=/root PLAYWRIGHT_CONFIG="--project ${{ matrix.browser }} --shard=${{ matrix.shardIndex }}/${{ matrix.shardTotal }}" pnpm run e2e
 
       - name: Upload blob report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: ${{ !cancelled() }}
         with:
           name: blob-report-${{ matrix.browser }}-${{ matrix.shardIndex }}
           path: tests/blob-report/
           retention-days: 1
 
       - name: Upload HTML report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         if: ${{ !cancelled() }}
         with:
           name: playwright-report-${{ matrix.browser }}-${{ matrix.shardIndex }}
@@ -174,12 +180,14 @@ jobs:
     needs: playwright
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           cache: "pnpm"
           cache-dependency-path: "**/pnpm-lock.yaml"
@@ -189,7 +197,7 @@ jobs:
         run: pnpm install
 
       - name: Download blob reports
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: tests/all-blob-reports
           pattern: blob-report-*
@@ -200,7 +208,7 @@ jobs:
         working-directory: tests
 
       - name: Upload merged HTML report
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: playwright-report-merged
           path: tests/playwright-report/

.github/workflows/fresh-install-tests.yml

@@ -15,6 +15,9 @@ on:
     - cron: "0 2 * * *" # Daily at 02:00 UTC
   workflow_dispatch: # Allow manual runs
 
+permissions:
+  contents: read
+
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
   pnpm_config_store_dir: ./node_modules/.pnpm-store
@@ -27,14 +30,16 @@ jobs:
 
     steps:
       - id: checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - id: install_pnpm
         name: Install pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
 
       - id: setup_node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version-file: ".nvmrc"
           # Intentionally no pnpm cache — we want fresh prod dep resolution
@@ -99,28 +104,36 @@ jobs:
           RUN_NUMBER: ${{ github.run_number }}
           RUN_ATTEMPT: ${{ github.run_attempt }}
           BRANCH: ${{ github.ref_name }}
+          STEPS_CHECKOUT_OUTCOME: ${{ steps.checkout.outcome }}
+          STEPS_INSTALL_PNPM_OUTCOME: ${{ steps.install_pnpm.outcome }}
+          STEPS_SETUP_NODE_OUTCOME: ${{ steps.setup_node.outcome }}
+          STEPS_INSTALL_DEPENDENCIES_OUTCOME: ${{ steps.install_dependencies.outcome }}
+          STEPS_UPDATE_PROD_DEPS_OUTCOME: ${{ steps.update_prod_deps.outcome }}
+          STEPS_DEDUPE_DEPS_OUTCOME: ${{ steps.dedupe_deps.outcome }}
+          STEPS_BUILD_PACKAGES_OUTCOME: ${{ steps.build_packages.outcome }}
+          STEPS_RUN_UNIT_TESTS_OUTCOME: ${{ steps.run_unit_tests.outcome }}
         run: |
           if [ -z "$SLACK_WEBHOOK_URL" ]; then
             echo "SLACK_WEBHOOK_URL is not configured; skipping Slack notification."
             exit 0
           fi
 
           failed_step="Unknown step"
-          if [ "${{ steps.checkout.outcome }}" = "failure" ]; then
+          if [ "${STEPS_CHECKOUT_OUTCOME}" = "failure" ]; then
             failed_step="Checkout repository"
-          elif [ "${{ steps.install_pnpm.outcome }}" = "failure" ]; then
+          elif [ "${STEPS_INSTALL_PNPM_OUTCOME}" = "failure" ]; then
             failed_step="Install pnpm"
-          elif [ "${{ steps.setup_node.outcome }}" = "failure" ]; then
+          elif [ "${STEPS_SETUP_NODE_OUTCOME}" = "failure" ]; then
             failed_step="Setup Node.js"
-          elif [ "${{ steps.install_dependencies.outcome }}" = "failure" ]; then
+          elif [ "${STEPS_INSTALL_DEPENDENCIES_OUTCOME}" = "failure" ]; then
             failed_step="Install dependencies"
-          elif [ "${{ steps.update_prod_deps.outcome }}" = "failure" ]; then
+          elif [ "${STEPS_UPDATE_PROD_DEPS_OUTCOME}" = "failure" ]; then
             failed_step="Update prod deps of published packages"
-          elif [ "${{ steps.dedupe_deps.outcome }}" = "failure" ]; then
+          elif [ "${STEPS_DEDUPE_DEPS_OUTCOME}" = "failure" ]; then
             failed_step="Dedupe transitive dependencies"
-          elif [ "${{ steps.build_packages.outcome }}" = "failure" ]; then
+          elif [ "${STEPS_BUILD_PACKAGES_OUTCOME}" = "failure" ]; then
             failed_step="Build packages"
-          elif [ "${{ steps.run_unit_tests.outcome }}" = "failure" ]; then
+          elif [ "${STEPS_RUN_UNIT_TESTS_OUTCOME}" = "failure" ]; then
             failed_step="Run unit tests"
           fi
 

.github/workflows/publish.yaml

@@ -29,39 +29,42 @@ jobs:
       attestations: write
     timeout-minutes: 10
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.version }}
           fetch-depth: 100
+          persist-credentials: false
       - name: Display version being published
         run: |
-          echo "Publishing version: ${{ inputs.version }}"
+          echo "Publishing version: ${INPUTS_VERSION}"
+        env:
+          INPUTS_VERSION: ${{ inputs.version }}
 
       - run: jq '.packageManager' package.json | tr -d '"pnpm@'
         id: package-manager-version
 
       - name: Install pnpm
-        uses: pnpm/action-setup@v5
+        uses: pnpm/action-setup@0e279bb959325dab635dd2c09392533439d90093 # v6.0.8
         with:
           version: ${{ steps.package-manager-version.outputs.stdout }}
 
-      - uses: nrwl/nx-set-shas@v5
+      - uses: nrwl/nx-set-shas@afb73a62d26e41464e9254689e1fd6122ee683c1 # v5
 
-      - uses: actions/setup-node@v6
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6 # zizmor: ignore[cache-poisoning]
         with:
-          cache: "pnpm"
-          cache-dependency-path: "**/pnpm-lock.yaml"
+          # No pnpm cache -- correctness over speed for publish workflows
           node-version-file: ".nvmrc"
 
       - name: Cache NX
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
         with:
           path: .nx/cache
           key: nx-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}-${{ github.sha }}
           restore-keys: |
             nx-${{ env.NX_BRANCH }}-${{ env.NX_RUN_GROUP }}-
             nx-${{ env.NX_BRANCH }}-
             nx-
+          lookup-only: true
 
       - name: Install Dependencies & Build
         run: pnpm install && pnpm build

.github/workflows/relative-ci.yaml

@@ -1,17 +1,24 @@
 name: RelativeCI
 
 on:
+  # zizmor: ignore[dangerous-triggers] -- workflow_run is the recommended pattern
+  # for RelativeCI; this workflow only downloads artifacts and reports bundle stats.
   workflow_run:
     workflows: ["build"]
     types:
       - completed
 
+permissions:
+  actions: read
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    if: github.event.workflow_run.conclusion == 'success'
     steps:
       - name: Send bundle stats and build information to RelativeCI (editor)
-        uses: relative-ci/agent-action@v2
+        uses: relative-ci/agent-action@fcf45416581928e8dd62eded78ce98c78e5149f8 # v3.2.3
         with:
           artifactName: relative-ci-artifacts-editor
           key: ${{ secrets.RELATIVE_CI_KEY }}

.github/workflows/zizmor.yml

@@ -0,0 +1,26 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6