COPP-8605: Deploy zizmor to open source repos (#2561)

* COPP-8605: Deploy zizmor to open source repos

* zizmor --fix=all .

* pinact run -fix -diff

* Address warnings[excessive-permissions]

* pull_request_target to pull_request

* Address info[template-injection]

Author: lachlankidson

.github/actions/setup-java/action.yml

@@ -4,8 +4,8 @@ runs:
   using: "composite"
   steps:
     - name: Set up JDK
-      uses: actions/setup-java@v5
+      uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
       with:
         java-version: '17'
         distribution: 'adopt'
-        cache: gradle
+        cache: gradle

.github/dependabot.yml

@@ -20,6 +20,8 @@ updates:
       patterns:
       - "com.android.tools:*"
       - "com.android.tools.*"
+  cooldown:
+    default-days: 7
 
 - package-ecosystem: npm
   directory: "/"
@@ -31,10 +33,14 @@ updates:
   versioning-strategy: increase-if-necessary
   allow:
     - dependency-type: "direct"
+  cooldown:
+    default-days: 7
 - package-ecosystem: github-actions
   directory: "/"
   schedule:
     interval: weekly
     day: monday
     time: "19:00"
   open-pull-requests-limit: 10
+  cooldown:
+    default-days: 7

.github/workflows/_build.yml

@@ -29,7 +29,9 @@ jobs:
     timeout-minutes: 15
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-java
 
@@ -45,7 +47,9 @@ jobs:
     timeout-minutes: 15
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-java
 
@@ -62,20 +66,21 @@ jobs:
       contents: write
 
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Fetch Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v2.5.0
-        if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' }}
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' }}
         with:
           github-token: "${{ steps.app-token.outputs.token }}"
 
@@ -95,27 +100,27 @@ jobs:
       - uses: ./.github/actions/setup-java
 
       - name: Validate Gradle Wrapper
-        uses: gradle/actions/wrapper-validation@v5
+        uses: gradle/actions/wrapper-validation@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
 
       - name: Build
         run: |
           ./gradlew assemble${{ env.flavour }}${{ env.config }} -PdisablePreDex
 
       - name: Tokens check
-        if: ${{ github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' || github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' && !contains(steps.dependabot-metadata.outputs.dependency-names, 'bpk-') }}
+        if: ${{ github.event_name != 'pull_request' || github.actor != 'dependabot[bot]' || github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && !contains(steps.dependabot-metadata.outputs.dependency-names, 'bpk-') }}
         run: |
           ./gradlew generateTokens -PdisablePreDex
           ./scripts/check-no-changes.sh
 
       - name: Token update
         id: tokenUpdate
-        if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' && contains(steps.dependabot-metadata.outputs.dependency-names, 'bpk-')}}
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && contains(steps.dependabot-metadata.outputs.dependency-names, 'bpk-')}}
         run: |
           ./gradlew generateTokens -PdisablePreDex
           changedFiles=`git status --porcelain` && echo "CHANGED_FILES=${changedFiles//$'\n'/'%0A'}" >> $GITHUB_OUTPUT
 
       - name: Token commit
-        if: ${{ github.event_name == 'pull_request' && github.actor == 'dependabot[bot]' && steps.tokenUpdate.outputs.CHANGED_FILES != '' && contains(steps.dependabot-metadata.outputs.dependency-names, 'bpk-') }}
+        if: ${{ github.event_name == 'pull_request' && github.event.pull_request.user.login == 'dependabot[bot]' && steps.tokenUpdate.outputs.CHANGED_FILES != '' && contains(steps.dependabot-metadata.outputs.dependency-names, 'bpk-') }}
         run: |
           git config --local user.email "197108191+skyscanner-backpack-bot[bot]@users.noreply.github.com"
           git config --local user.name "skyscanner-backpack-bot[bot]"
@@ -138,7 +143,9 @@ jobs:
     steps:
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Enable KVM group perms
         run: |
@@ -149,7 +156,7 @@ jobs:
       - uses: ./.github/actions/setup-java
 
       - name: AVD cache
-        uses: actions/cache@v5
+        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
         id: avd-cache
         with:
           path: |
@@ -159,7 +166,7 @@ jobs:
 
       - name: create AVD and generate snapshot for caching
         if: steps.avd-cache.outputs.cache-hit != 'true'
-        uses: reactivecircus/android-emulator-runner@v2
+        uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0
         with:
           profile: Nexus 4
           sdcard-path-or-size: 512M
@@ -171,7 +178,7 @@ jobs:
           script: echo "Generated AVD snapshot for caching."
 
       - name: Android Tests
-        uses: reactivecircus/android-emulator-runner@v2
+        uses: reactivecircus/android-emulator-runner@b530d96654c385303d652368551fb075bc2f0b6b # v2.35.0
         with:
           profile: Nexus 4
           sdcard-path-or-size: 512M
@@ -212,7 +219,9 @@ jobs:
             flag: themed
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - uses: ./.github/actions/setup-java
 
@@ -222,7 +231,7 @@ jobs:
           ./gradlew app:recordRoborazziOssDebug -Dvariant=${{ matrix.variant.flag }}
 
       - name: Upload Screenshots
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: screenshots-${{ matrix.variant.flag }}
           path: app/screenshots/
@@ -237,19 +246,20 @@ jobs:
       contents: write
     timeout-minutes: 5
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Download all screenshot artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           path: screenshot-artifacts
 

.github/workflows/label-check.yml

@@ -1,15 +1,17 @@
 name: label-check
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, labeled, unlabeled, synchronize]
 
+permissions: {}
+
 jobs:
   label-check:
     runs-on: ubuntu-24.04-16cores-public
 
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}

.github/workflows/main.yml

@@ -30,13 +30,13 @@ jobs:
       contents: write
       pull-requests: read
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Draft release notes
-        uses: release-drafter/release-drafter@v6
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
         env:
           GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}

.github/workflows/pr.yml

@@ -28,17 +28,17 @@ jobs:
     runs-on: ubuntu-24.04-16cores-public
     permissions:
       pull-requests: write
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Fetch Dependabot metadata
         id: dependabot-metadata
-        uses: dependabot/fetch-metadata@v2.5.0
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
         with:
           github-token: "${{ steps.app-token.outputs.token }}"
 
@@ -50,12 +50,14 @@ jobs:
           PR_URL: ${{github.event.pull_request.html_url}}
 
       - name: Apply dependency labels
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+            UPDATE_TYPE: ${{ steps.metadata.outputs.update-type }}
         with:
           github-token: ${{ steps.app-token.outputs.token }}
           script: |
             const prNumber = context.issue.number;
-            const updateType = '${{ steps.metadata.outputs.update-type }}';
+            const updateType = process.env.UPDATE_TYPE;
 
             // Get current labels
             const { data: currentLabels } = await github.rest.issues.listLabelsOnIssue({
@@ -128,14 +130,14 @@ jobs:
     permissions:
       pull-requests: write
     steps:
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Detect Copilot commits and label PR
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ steps.app-token.outputs.token }}
           script: |

.github/workflows/release.yml

@@ -35,17 +35,19 @@ jobs:
 
     steps:
 
-      - uses: actions/create-github-app-token@v2
+      - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
         id: app-token
         with:
           app-id: ${{ vars.GH_APP_ID }}
           private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Set up JDK
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e # v5.1.0
         with:
           java-version: '17'
           distribution: 'adopt'
@@ -66,14 +68,16 @@ jobs:
         run: ./gradlew :backpack-compose:generateComponentList
       - name: Upload components list to release
         continue-on-error: true
-        run: gh release upload ${{ github.event.release.tag_name }} backpack-compose/build/outputs/compose_components.txt --clobber
+        run: gh release upload ${GITHUB_EVENT_RELEASE_TAG_NAME} backpack-compose/build/outputs/compose_components.txt --clobber
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
 
       - name: Publish artifacts
-        run: ./gradlew publish -Pversion=${{ github.event.release.tag_name }}
+        run: ./gradlew publish -Pversion=${GITHUB_EVENT_RELEASE_TAG_NAME}
         env:
             GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
 
       - name: Install libsecret for Supernova CLI
         run: sudo apt-get update && sudo apt-get install -y libsecret-1-0

.github/workflows/update-copyright.yml

@@ -16,16 +16,17 @@ jobs:
     runs-on: ubuntu-24.04-16cores-public
 
     steps:
-    - uses: actions/create-github-app-token@v2
+    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
       id: app-token
       with:
         app-id: ${{ vars.GH_APP_ID }}
         private-key: ${{ secrets.GH_APP_PRIVATE_KEY }}
 
     - name: Checkout repository
-      uses: actions/checkout@v6
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
         token: ${{ steps.app-token.outputs.token }}
+        persist-credentials: false
 
     - name: Set current year
       id: date
@@ -50,7 +51,7 @@ jobs:
         
     - name: Create Pull Request
       if: steps.changes.outputs.changes == 'true'
-      uses: peter-evans/create-pull-request@v8
+      uses: peter-evans/create-pull-request@98357b18bf14b5342f975ff684046ec3b2a07725 # v8.0.0
       with:
         token: ${{ steps.app-token.outputs.token }}
         commit-message: "chore: update copyright year to ${{ steps.date.outputs.year }}"
@@ -69,8 +70,10 @@ jobs:
 
     - name: Output result
       run: |
-        if [[ "${{ steps.changes.outputs.changes }}" == "true" ]]; then
+        if [[ "${STEPS_CHANGES_OUTPUTS_CHANGES}" == "true" ]]; then
           echo "Copyright year has been updated and a PR has been created"
         else
           echo "Copyright year is already current, no action needed"
         fi
+      env:
+        STEPS_CHANGES_OUTPUTS_CHANGES: ${{ steps.changes.outputs.changes }}

.github/workflows/zizmor.yml

@@ -0,0 +1,25 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches:
+      - "main"
+  pull_request:
+    branches:
+      - "**"
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04-2cores-tools-public
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0