THRIFT-5965: Added zizmor to run static analysis on GitHub actions

[kpumuk]

zizmor is a static analysis tool for GitHub Actions. It can find and fix many common security issues in typical GitHub Actions CI/CD setups. See https://docs.zizmor.sh/

Note

ASF Infrastructure recommends running zizmor static analysis on GitHub Actions workflows to detect security issues (see GitHub Actions Security).

Our workflows had a few common themes, which were addressed:

• Added Dependabot cooldowns.
• Added persist-credentials: false to checkout steps flagged by artipacked.
• Disabled Ruby release Bundler cache.
• Pinned ASF allowlist action to a commit SHA.
• Switched Rust publishing to crates.io trusted publishing with explicit id-token: write.

zizmor . initially reported 63 findings, including 37 pre-existing suppressed findings and 26 active findings. This change addresses all active findings; the final zizmor . run reports no findings, with the same 37 suppressed findings still suppressed.

Dependabot Cooldown

Findings:

• .github/dependabot.yml: dependabot-cooldown warned that the github-actions, gradle for lib/java, and gradle for lib/kotlin updaters had no cooldown.

Remediation:

• Added cooldown.default-days: 7 to each updater so Dependabot waits before opening updates for freshly released dependencies.

Checkout Credential Persistence

Findings:

• artipacked warned that checkout steps did not explicitly disable persisted GitHub credentials in .github/workflows/build.yml, .github/workflows/cmake.yml, .github/workflows/msvc.yml, .github/workflows/pypi.yml, .github/workflows/release_rust.yml, and .github/workflows/sca.yml.

Remediation:

• Added with: persist-credentials: false to affected actions/checkout steps that do not need to push back to the repository.

Release Cache Poisoning

Findings:

• .github/workflows/release_ruby.yml: cache-poisoning warned that the Ruby release workflow restored Bundler cache state before publishing the gem.

Remediation:

• Disabled bundler-cache for the Ruby release job so publish-time artifacts are not built or released from restored CI cache state.

Unpinned Action Reference

Findings:

• .github/workflows/asf-allowlist-check.yml: unpinned-uses warned that apache/infrastructure-actions/allowlist-check@main used a mutable branch reference.

Remediation:

• Pinned the allowlist check action to commit 8056239fafd626c8a4e2d6679506ba0d8e60f196.

Rust Release Permissions and Publishing Token

Findings:

• .github/workflows/release_rust.yml: excessive-permissions warned that the publish job used default permissions.
• .github/workflows/release_rust.yml: use-trusted-publishing recommended replacing the long-lived CARGO_REGISTRY_TOKEN secret with trusted publishing.

Remediation:

• Added explicit job permissions: contents: read and id-token: write.
• Replaced the long-lived crates.io secret flow with rust-lang/crates-io-auth-action, pinned to commit bbd81622f20ce9e2dd9622e3218b975523e45bbe, and passed the action's temporary token to cargo publish.

• Did you create an Apache Jira ticket? THRIFT-5965
• If a ticket exists: Does your pull request title follow the pattern "THRIFT-NNNN: describe my issue"?
• Did you squash your changes to a single commit? (not required, but preferred)
• Did you do your best to avoid breaking changes? If one was needed, did you label the Jira ticket with "Breaking-Change"?
• If your change does not involve any code, include [skip ci] anywhere in the commit message to free up build resources.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.