Add zizmor GitHub Actions workflow for CI security analysis (#10202)

Author: jonathan343

.github/dependabot.yml

@@ -9,6 +9,8 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-patch"]
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -19,6 +21,8 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-patch"]
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -44,6 +48,8 @@ updates:
       - dependency-name: "jmespath"
       - dependency-name: "urllib3"
       - dependency-name: "wheel"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -61,6 +67,8 @@ updates:
       - dependency-name: "pyyaml"
       - dependency-name: "wheel"
       - dependency-name: "rsa"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -79,3 +87,5 @@ updates:
       - dependency-name: "sphinx-lint" 
       - dependency-name: "sphinx-copybutton"
       - dependency-name: "sphinx-inline-tabs"
+    cooldown:
+      default-days: 7

.github/workflows/closed-issue-update.yml

@@ -3,15 +3,16 @@ name: Closed Issue Update
 on:
   issues:
     types: [closed]
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   unlabel:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     if: contains(toJson(github.event.issue.labels), 'needs-triage')
     steps:
-    - uses: actions/github-script@v8
+    - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       with:
         script: |
           github.rest.issues.removeLabel({
@@ -22,8 +23,10 @@ jobs:
           })      
   auto_comment:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
-    - uses: aws-actions/closed-issue-message@v2
+    - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 # v2
       with:
         # These inputs are both required
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/doc-pr-cherry-pick.yml

@@ -20,6 +20,7 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |

.github/workflows/handle-stale-discussions.yml

@@ -14,7 +14,7 @@ jobs:
       discussions: write
     steps:
       - name: Stale discussions action
-        uses: aws-github-ops/handle-stale-discussions@v1
+        uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 # v1
         with:
           # This will close stale-discussions as outdated instead of answered
           close-stale-as-answered: false

.github/workflows/issue-regression-labeler.yml

@@ -25,8 +25,9 @@ jobs:
     - name: Manage regression label
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION: ${{ steps.check_regression.outputs.is_regression }}
       run: |
-        if [ "${{ steps.check_regression.outputs.is_regression }}" == "true" ]; then
+        if [ "${STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION}" == "true" ]; then
           gh issue edit ${{ github.event.issue.number }} --add-label "potential-regression" -R ${{ github.repository }}
         else
           gh issue edit ${{ github.event.issue.number }} --remove-label "potential-regression" -R ${{ github.repository }}

.github/workflows/run-bundle-test.yml

@@ -20,9 +20,11 @@ jobs:
         python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
         os: [ubuntu-latest, macOS-latest]
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies

.github/workflows/run-dep-tests.yml

@@ -20,6 +20,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
       with:

.github/workflows/run-tests.yml

@@ -19,9 +19,11 @@ jobs:
         os: [ubuntu-latest, macOS-latest, windows-latest]
 
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
@@ -33,6 +35,6 @@ jobs:
     - name: Run checks
       run: python scripts/ci/run-check
     - name: codecov
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         directory: tests

.github/workflows/stale_community_prs.yml

@@ -1,12 +1,13 @@
 name: 'Check stale community PRs.'
 on: workflow_dispatch
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale-implementation-stage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
         with:
@@ -27,6 +28,8 @@ jobs:
           close-pr-label: closed-for-staleness
   stale-review-stage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
         with:
@@ -61,4 +64,4 @@ jobs:
           days-before-issue-stale: -1
           only-pr-labels: community,review,response-requested,stale
           close-pr-label: DONTUSE
-          ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing.
+          ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing.

.github/workflows/stale_issue.yml

@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@v6
+    - uses: aws-actions/stale-issue-cleanup@7de35968489e4142233d2a6812519a82e68b5c38 # v6
       with:
         issue-types: issues
         stale-issue-message: Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.