fix(ci): resolve template injection and ref-version-mismatch findings (#1502)

* fix(ci): resolve template injection findings

Move ${{ context }} expressions to env: variables to prevent shell injection.

Refs: PSEC-923

* fix(ci): add pedantic persona and suppress noisy zizmor rules

Add .github/zizmor.yml to configure dependabot cooldown and disable
pedantic-only rules with no security value (anonymous-definition,
undocumented-permissions, concurrency-limits).

Switch zizmor CI to pedantic persona to catch all template expansions
in run: blocks. Extend trigger paths to include .github/zizmor.yml
and .github/dependabot.yml so config changes also run the check.

Refs: PSEC-923

* fix(ci): add missing version comments to SHA-pinned action refs

Resolves 6 ref-version-mismatch zizmor findings by annotating SHA-pinned
action refs with their corresponding version:

- chainguard-dev/actions@0cba302 (5 occurrences): add # main
  (this action tracks the rolling main branch; no semver tags are published)
- dtolnay/rust-toolchain@e97e2d8: add # v1

Refs: PSEC-923

Author: stevebeattie

.github/workflows/codeql.yaml

@@ -66,7 +66,7 @@ jobs:
           ref: refs/tags/v${{ env.YARA_X_RELEASE }}
       - name: Install Rust for yara-x-capi
         if: steps.yara-x-capi.outputs.cache-hit != 'true'
-        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9
+        uses: dtolnay/rust-toolchain@e97e2d8cc328f1b50210efc529dca0028893a2d9 # v1
         with:
           toolchain: stable
       - name: Cache Rust dependencies
@@ -80,16 +80,18 @@ jobs:
           restore-keys: rust-cargo-
       - name: Build yara-x-capi
         if: steps.yara-x-capi.outputs.cache-hit != 'true'
+        env:
+          WORKSPACE: ${{ github.workspace }}
         run: |
           command -v cargo-cinstall || cargo install cargo-c --locked
-          cd ${{ github.workspace }}/yara-x
+          cd "${WORKSPACE}/yara-x"
           RUSTFLAGS="-C target-feature=+crt-static" cargo cinstall -p yara-x-capi --features=native-code-serialization \
             --profile release-lto \
-            --pkgconfigdir=${{ github.workspace }}/yara-x-install \
-            --includedir=${{ github.workspace }}/yara-x-install \
-            --libdir=${{ github.workspace }}/yara-x-install \
+            --pkgconfigdir="${WORKSPACE}/yara-x-install" \
+            --includedir="${WORKSPACE}/yara-x-install" \
+            --libdir="${WORKSPACE}/yara-x-install" \
             --crt-static --library-type="staticlib"
-          rm -rf ${{ github.workspace }}/yara-x
+          rm -rf "${WORKSPACE}/yara-x"
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
         with:

.github/workflows/digestabot.yaml

@@ -36,7 +36,7 @@ jobs:
             release-assets.githubusercontent.com:443
             tuf-repo-cdn.sigstore.dev:443
 
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
 
       - uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts

.github/workflows/fuzz.yaml

@@ -125,7 +125,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git gnutar "${GO_RELEASE}" nodejs upx xz "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -170,6 +170,8 @@ jobs:
       # -parallel=1 is used for now due to this: https://github.com/golang/go/issues/56238
       - name: Run fuzzer - ${{ matrix.target.test }}
         env:
+          FUZZ_TARGET: ${{ matrix.target.test }}
+          FUZZ_PACKAGE: ${{ matrix.target.package }}
           FUZZ_TIME: ${{ inputs.fuzz_time || '30s' }}
         run: |
-          go test -parallel=1 -timeout 0 -fuzz="^${{ matrix.target.test }}$" -fuzztime="${FUZZ_TIME}" "${{ matrix.target.package }}"
+          go test -parallel=1 -timeout 0 -fuzz="^${FUZZ_TARGET}$" -fuzztime="${FUZZ_TIME}" "${FUZZ_PACKAGE}"

.github/workflows/go-tests.yaml

@@ -41,7 +41,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git gnutar "${GO_RELEASE}" nodejs upx xz "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -92,7 +92,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git gnutar ${{ env.GO_RELEASE }} nodejs upx xz yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git gnutar "${GO_RELEASE}" nodejs upx xz "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/release.yaml

@@ -29,7 +29,7 @@ jobs:
             github.com:443
             octo-sts.dev:443
             release-assets.githubusercontent.com:443
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts

.github/workflows/style.yaml

@@ -188,7 +188,7 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add curl findutils git ${{ env.GO_RELEASE }} nodejs yara-x~${{ env.YARA_X_RELEASE }}
+          apk add curl findutils git "${GO_RELEASE}" nodejs "yara-x~${YARA_X_RELEASE}"
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

.github/workflows/third-party.yaml

@@ -40,8 +40,8 @@ jobs:
       - name: Install dependencies
         run: |
           apk update
-          apk add bash curl findutils gh git gnutar ${{ env.GO_RELEASE }} nodejs perl upx xz yara-x~${{ env.YARA_X_RELEASE }}
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+          apk add bash curl findutils gh git gnutar "${GO_RELEASE}" nodejs perl upx xz "yara-x~${YARA_X_RELEASE}"
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts

.github/workflows/update-yara-x.yaml

@@ -46,6 +46,7 @@ jobs:
         id: check
         env:
           GH_TOKEN: ${{ github.token }}
+          REPOSITORY: ${{ github.repository }}
         run: |
           CURRENT=$(grep '^YARA_X_VERSION' Makefile | head -1 | sed 's/.*= *//')
           echo "Current version: ${CURRENT}"
@@ -68,7 +69,7 @@ jobs:
 
           # Skip if there is already an open PR for this version
           VERSION="${LATEST#v}"
-          EXISTING=$(gh pr list --repo "${{ github.repository }}" --head "bump-yara-x-${VERSION}" --state open --json number --jq 'length')
+          EXISTING=$(gh pr list --repo "${REPOSITORY}" --head "bump-yara-x-${VERSION}" --state open --json number --jq 'length')
           if [[ "${EXISTING}" -gt 0 ]]; then
             echo "Open PR already exists for yara-x ${VERSION}"
             echo "update_available=false" >> "$GITHUB_OUTPUT"
@@ -111,7 +112,7 @@ jobs:
             sum.golang.org:443
             tuf-repo-cdn.sigstore.dev:443
 
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts

.github/workflows/version.yaml

@@ -39,7 +39,7 @@ jobs:
             rekor.sigstore.dev:443
             release-assets.githubusercontent.com:443
             tuf-repo-cdn.sigstore.dev:443
-      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d
+      - uses: chainguard-dev/actions/setup-gitsign@4a81273c8653122cf4e48cc248f9073b660c5e6d # main
       - name: Set up Octo-STS
         uses: octo-sts/action@f603d3be9d8dd9871a265776e625a27b00effe05 # v1.1.1
         id: octo-sts

.github/workflows/zizmor.yaml

@@ -9,11 +9,15 @@ on:
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/dependabot.yml'
+      - '.github/zizmor.yml'
   push:
     branches: ['main']
     paths:
       - '.github/workflows/**'
       - '.github/actions/**'
+      - '.github/dependabot.yml'
+      - '.github/zizmor.yml'
 
 permissions: {}
 
@@ -42,3 +46,5 @@ jobs:
 
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          persona: pedantic