add: statically analyze CI workflows

2bndy5 · 2bndy5 · commit f7824fee53ea · 2025-09-07T08:08:00.000-07:00
resolves #46 - includes changes to satisfy warnings/errors raised by zizmor
diff --git a/.github/workflows/ci-check.yml b/.github/workflows/ci-check.yml
@@ -0,0 +1,27 @@
+on:
+  workflow_call:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions: {}
+
+jobs:
+  check-ci-workflows:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          repository: ${{ github.repository }}
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5
+        with:
+          python-version: '3.x'
+      - name: Run zizmor
+        env:
+          GH_TOKEN: ${{ github.token }}
+          FORCE_COLOR: 1
+        run: pipx run zizmor --format=github .github/workflows/*.yml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -44,6 +44,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,8 +6,16 @@ on:
   pull_request:
     branches: [main]
 
+permissions: {}
+
 jobs:
   main:
+    permissions:
+      contents: read
     uses: ./.github/workflows/pre-commit.yml
   stale:
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     uses: ./.github/workflows/stale.yml
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
       - name: Install dependencies
         run: uv sync --group docs
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -22,7 +22,9 @@ jobs:
           python-version: '3.x'
       - name: Run commands
         if: inputs.commands
-        run: ${{ inputs.commands }}
+        run: ${INPUTS_COMMANDS}
+        env:
+          INPUTS_COMMANDS: ${{ inputs.commands }}
       - name: Cache pre-commit environments
         uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
@@ -60,15 +62,16 @@ jobs:
         run: cargo binstall -y committed
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          PR_TITLE: ${{ github.event.pull_request.title }}
       - name: conventional-commit
         run: >-
-          echo "${{ github.event.pull_request.title }}"
+          echo "${PR_TITLE}"
           | committed --config ${{ github.workspace }}/org-repo/.github/committed.toml --commit-file -
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: latest
       - name: spell check
         working-directory: project-repo
-        run: >-
-          echo "${{ github.event.pull_request.title }}"
-          | npx cspell-cli lint stdin
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}
+        run: echo "${PR_TITLE}" | npx cspell-cli lint stdin
diff --git a/.github/workflows/py-coverage.yml b/.github/workflows/py-coverage.yml
@@ -9,6 +9,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          persist-credentials: false
 
       - name: Download all artifacts
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5
diff --git a/.github/workflows/py-publish.yml b/.github/workflows/py-publish.yml
@@ -17,6 +17,7 @@ jobs:
       # use fetch --all for setuptools_scm to work
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5
       with:
@@ -37,14 +38,14 @@ jobs:
         subject-path: 'dist/*'
 
     - name: Publish package (to TestPyPI)
-      if: github.event_name == 'workflow_dispatch' && startsWith(github.repository, 'cpp-linter')
+      if: startsWith(github.repository, 'cpp-linter') && !startsWith(github.ref, 'refs/tags/')
       env:
         TWINE_USERNAME: __token__
         TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
       run: twine upload --repository testpypi dist/*
 
     - name: Publish package (to PyPI)
-      if: github.event_name != 'workflow_dispatch' && startsWith(github.repository, 'cpp-linter')
+      if: startsWith(github.repository, 'cpp-linter') && startsWith(github.ref, 'refs/tags/')
       env:
         TWINE_USERNAME: __token__
         TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/snyk-container.yml b/.github/workflows/snyk-container.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+      with:
+        persist-credentials: false
     - name: Run Snyk to check Docker image for vulnerabilities
       continue-on-error: true
       uses: snyk/actions/docker@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0
diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml
@@ -14,13 +14,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
 
       - name: Install dependencies
         run: uv sync --group docs
 
       - name: Build docs
-        run: uv run sphinx-build docs ${{ inputs.path-to-doc }}
+        run: uv run sphinx-build docs ${INPUTS_PATH_TO_DOC}
+        env:
+          INPUTS_PATH_TO_DOC: ${{ inputs.path-to-doc }}
 
       - name: Upload docs build as artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -1,16 +1,20 @@
-name: 'Close stale issues'
+name: "Close stale issues"
 
 on: [workflow_call]
 
 jobs:
   stale:
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 #v9
         with:
-            stale-issue-message: >-
-                This issue has been automatically marked as stale because
-                it has not had recent activity.
-                It will be closed if no further activity occurs.
-            # Better to exclude certain issues from being marked as stale
-            exempt-issue-labels: 'help wanted,security,pinned,bug'
+          stale-issue-message: >-
+            This issue has been automatically marked as stale because
+            it has not had recent activity.
+            It will be closed if no further activity occurs.
+          # Better to exclude certain issues from being marked as stale
+          exempt-issue-labels: "help wanted,security,pinned,bug"
diff --git a/cspell.config.yml b/cspell.config.yml
@@ -17,6 +17,7 @@ words:
   - testpypi
   - venv
   - xianpengshen
+  - zizmor
 ignorePaths:
   - .env/**
   - .venv/**
