Add actionci.yml (#306)

* Add zizmor and frizbee CI checks

Add caller workflows for zizmor (security scanning) and frizbee
(action pinning verification). Fix zizmor findings where applicable
and add suppression config for intentional patterns.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add explicit permissions blocks, remove excessive-permissions ignores

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Replace zizmor line-number ignores with policies

Use unpinned-uses config.policies with org-level wildcard and
secrets-inherit disable instead of brittle per-line ignores that
break whenever workflow files change.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Disable ref-confusion audit

The ref-confusion audit crashes when workflows reference private
repos (e.g. internal-workflows, robot) because the GITHUB_TOKEN
lacks cross-repo access. Disable until zizmor supports scoping
this audit or we provide a broader token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add security-events: write to zizmor caller workflow

The caller workflow's permissions are the ceiling for reusable
workflows. The zizmor-action needs security-events: write to
upload SARIF results to GitHub Advanced Security.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: Replace separate actionlint/zizmor/frizbee with actionci.yml

Consolidate the three separate workflow files into a single actionci.yml
that calls the shared workflow from smallstep/workflows.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: Pin unpinned actions in release.yml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: Remove accidentally included publish-packages.yml

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Move codeql permissions to job level to satisfy zizmor

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/actionci.yml

@@ -0,0 +1,22 @@
+name: Action CI
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "main"
+  pull_request:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  actionci:
+    permissions:
+      contents: read
+      security-events: write
+    uses: smallstep/workflows/.github/workflows/actionci.yml@main
+    secrets: inherit

.github/workflows/actionlint.yml

@@ -13,8 +13,15 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   ci:
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: smallstep/workflows/.github/workflows/goCI.yml@main
     with:
       only-latest-golang: false

.github/workflows/ci.yml

@@ -2,6 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * SUN'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   code-scan:
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main

.github/workflows/code-scan-cron.yml

@@ -6,6 +6,9 @@ on:
     tags:
       - "v*" # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: smallstep/step-kms-plugin/.github/workflows/ci.yml@main
@@ -14,6 +17,8 @@ jobs:
   create_release:
     name: Create Release
     needs: ci
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     env:
       DOCKER_IMAGE: smallstep/step-kms-plugin
@@ -30,9 +35,11 @@ jobs:
     steps:
       - name: Is Pre-release
         id: is_prerelease
+        env:
+          REF: ${{ github.ref }}
         run: |
           set +e
-          echo ${{ github.ref }} | grep "\-rc.*"
+          echo "${REF}" | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"
@@ -110,15 +117,15 @@ jobs:
       - name: Authenticate to Google Cloud
         if: ${{ needs.create_release.outputs.is_prerelease == 'false' }}
         id: gcloud-auth
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GOOGLE_CLOUD_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GOOGLE_CLOUD_GITHUB_SERVICE_ACCOUNT }}
 
       - name: Set up Google Cloud SDK
         if: ${{ needs.create_release.outputs.is_prerelease == 'false' }}
-        uses: google-github-actions/setup-gcloud@v3
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3
         with:
           project_id: ${{ secrets.GOOGLE_CLOUD_PACKAGES_PROJECT_ID }}
 
@@ -131,7 +138,7 @@ jobs:
           echo 'IS_PRERELEASE=${{ needs.create_release.outputs.is_prerelease }}' >> "${GITHUB_ENV}"
 
       - name: Run GoReleaser Pro
-        uses: goreleaser/goreleaser-action@v7.0.0
+        uses: goreleaser/goreleaser-action@ec59f474b9834571250b370d4735c50f8e2d1e29 # v7.0.0
         with:
           distribution: goreleaser-pro
           version: v2.8.1

.github/workflows/release.yml

@@ -0,0 +1,12 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "smallstep/*": ref-pin
+  secrets-inherit:
+    disable: true
+  ref-confusion:
+    disable: true
+  dangerous-triggers:
+    ignore:
+      - triage.yml