ci: add zizmor github actions security analysis workflow

Author: aagbotemi

.github/workflows/audit.yml

@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: "Check out PR branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Run audit"
         run: |

.github/workflows/cont_integration.yml

@@ -7,6 +7,8 @@ on:
     paths:
       - "bdk-ffi/**"
 
+permissions: {}
+
 jobs:
   build-test:
     name: "Build and test"
@@ -22,9 +24,14 @@ jobs:
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Generate cache key"
-        run: echo "${{ matrix.rust.version }} ${{ matrix.features }}" | tee .cache_key
+        env:
+          MATRIX_RUST_VERSION: ${{ matrix.rust.version }}
+          MATRIX_FEATURES: ${{ matrix.features }}
+        run: echo "$MATRIX_RUST_VERSION $MATRIX_FEATURES" | tee .cache_key
 
       - name: "Cache"
         uses: actions/cache@v3
@@ -36,7 +43,9 @@ jobs:
           key: ${{ runner.os }}-cargo-${{ hashFiles('.cache_key') }}-${{ hashFiles('**/Cargo.toml','**/Cargo.lock') }}
 
       - name: "Set default toolchain"
-        run: rustup default ${{ matrix.rust.version }}
+        env:
+          MATRIX_RUST_VERSION: ${{ matrix.rust.version }}
+        run: rustup default $MATRIX_RUST_VERSION
 
       - name: "Set profile"
         run: rustup set profile minimal
@@ -67,6 +76,8 @@ jobs:
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Set default toolchain"
         run: rustup default nightly

.github/workflows/kotlin-api-docs.yaml

@@ -2,12 +2,16 @@ name: Build JVM and Android API Docs Websites
 
 on: workflow_dispatch
 
+permissions: {}
+
 jobs:
   deploy:
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout"
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: "Set up JDK 17"
         uses: actions/setup-java@v2

.github/workflows/live-tests.yaml

@@ -4,13 +4,17 @@ on:
   schedule:
     - cron: '0 0 * * 0' # Once per week
 
+permissions: {}
+
 jobs:
   jvm-tests:
     name: "Build and test JVM library on Linux"
     runs-on: ubuntu-24.04
     steps:
       - name: "Checkout publishing branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Cache"
         uses: actions/cache@v3
@@ -42,6 +46,8 @@ jobs:
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Build Swift package"
         working-directory: bdk-swift
@@ -71,6 +77,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Rust 1.84.1"
         uses: actions-rs/toolchain@v1

.github/workflows/publish-android.yaml

@@ -3,12 +3,16 @@ on: [workflow_dispatch]
 
 # The default Android NDK on the ubuntu-24.04 image is 25.2.9519653
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
       - name: "Check out PR branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Cache"
         uses: actions/cache@v3

.github/workflows/publish-jvm.yaml

@@ -1,13 +1,17 @@
 name: Publish bdk-jvm to Maven Central
 on: [workflow_dispatch]
 
+permissions: {}
+
 jobs:
   build-macOS-native-libs:
     name: "Create M1 and x86_64 native binaries"
     runs-on: macos-14
     steps:
       - name: "Checkout publishing branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Cache"
         uses: actions/cache@v3
@@ -42,6 +46,8 @@ jobs:
     steps:
       - name: "Checkout publishing branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Set up JDK"
         uses: actions/setup-java@v4
@@ -67,6 +73,8 @@ jobs:
     steps:
       - name: "Checkout publishing branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Cache"
         uses: actions/cache@v3

.github/workflows/publish-python.yaml

@@ -1,6 +1,8 @@
 name: Publish bdkpython to PyPI
 on: [workflow_dispatch]
 
+permissions: {}
+
 jobs:
   build-manylinux_2_28-x86_64-wheels:
     name: "Build Manylinux 2.28 x86_64 wheel"
@@ -26,6 +28,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Rust 1.84.1"
         uses: actions-rs/toolchain@v1
@@ -64,6 +67,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Python"
         uses: actions/setup-python@v4
@@ -103,6 +107,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Python"
         uses: actions/setup-python@v4
@@ -141,6 +146,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
+
       - uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python }}
@@ -167,6 +174,8 @@ jobs:
     steps:
       - name: "Checkout"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Download artifacts in dist/ directory"
         uses: actions/download-artifact@v4

.github/workflows/test-android.yaml

@@ -12,6 +12,8 @@ on:
 
 # The default Android NDK on the ubuntu-24.04 image is 25.2.9519653
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-24.04
@@ -21,6 +23,8 @@ jobs:
 
       - name: "Check out PR branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Cache"
         uses: actions/cache@v3

.github/workflows/test-jvm.yaml

@@ -10,12 +10,16 @@ on:
       - "bdk-ffi/**"
       - "bdk-jvm/**"
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
       - name: "Check out PR branch"
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Cache"
         uses: actions/cache@v3

.github/workflows/test-python.yaml

@@ -10,6 +10,8 @@ on:
       - "bdk-ffi/**"
       - "bdk-python/**"
 
+permissions: {}
+
 jobs:
   build-manylinux_2_28-x86_64-wheels:
     name: "Build and test Manylinux 2.28 x86_64 wheels"
@@ -35,6 +37,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Rust 1.84.1"
         uses: actions-rs/toolchain@v1
@@ -80,6 +83,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Python"
         uses: actions/setup-python@v4
@@ -125,6 +129,8 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
+
       - uses: actions/setup-python@v4
         with:
           python-version: ${{ matrix.python }}
@@ -168,6 +174,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Python"
         uses: actions/setup-python@v4
@@ -204,6 +211,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+          persist-credentials: false
 
       - name: "Install Ruff"
         run: curl -LsSf https://astral.sh/ruff/install.sh | sh