SteeltoeOSS · bart-vmware · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025
diff --git a/.github/workflows/Steeltoe.All.yml b/.github/workflows/Steeltoe.All.yml
@@ -79,6 +79,8 @@ jobs:
 
     - name: Git checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Restore packages
       run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal

diff --git a/.github/workflows/component-common.yml b/.github/workflows/component-common.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+
 jobs:
   linux:
     uses: ./.github/workflows/component-shared-workflow.yml

diff --git a/.github/workflows/component-configuration.yml b/.github/workflows/component-configuration.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+
 jobs:
   linux:
     uses: ./.github/workflows/component-shared-workflow.yml

diff --git a/.github/workflows/component-connectors.yml b/.github/workflows/component-connectors.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+
 jobs:
   linux:
     uses: ./.github/workflows/component-shared-workflow.yml

diff --git a/.github/workflows/component-discovery.yml b/.github/workflows/component-discovery.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+
 jobs:
   linux:
     uses: ./.github/workflows/component-shared-workflow.yml

diff --git a/.github/workflows/component-logging.yml b/.github/workflows/component-logging.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+
 jobs:
   linux:
     uses: ./.github/workflows/component-shared-workflow.yml

diff --git a/.github/workflows/component-management.yml b/.github/workflows/component-management.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+
 jobs:
   linux:
     uses: ./.github/workflows/component-shared-workflow.yml

diff --git a/.github/workflows/component-security.yml b/.github/workflows/component-security.yml
@@ -18,6 +18,8 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+
 jobs:
   linux:
     uses: ./.github/workflows/component-shared-workflow.yml

diff --git a/.github/workflows/component-shared-workflow.yml b/.github/workflows/component-shared-workflow.yml
@@ -76,6 +76,8 @@ jobs:
 
     - name: Git checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Restore packages
       run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal

diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -40,6 +40,8 @@ jobs:
 
     - name: Git checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Restore packages
       run: dotnet restore ${{ env.SOLUTION_FILE }} /p:Configuration=Release --verbosity minimal
@@ -261,6 +263,8 @@ jobs:
     steps:
     - name: Git checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: true
 
     - name: Calculate next package version
       shell: pwsh

diff --git a/.github/workflows/scan-vulnerable-dependencies.yml b/.github/workflows/scan-vulnerable-dependencies.yml
@@ -36,6 +36,8 @@ jobs:
 
     - name: Git checkout
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Report vulnerable dependencies
       run: dotnet restore ${{ env.SOLUTION_FILE }} --verbosity minimal /p:NuGetAudit=true /p:NuGetAuditMode=all /p:NuGetAuditLevel=low /p:TreatWarningsAsErrors=True
diff --git a/.github/workflows/sonarcube.yml b/.github/workflows/sonarcube.yml
@@ -60,6 +60,7 @@ jobs:
     - name: Git checkout
       uses: actions/checkout@v4
       with:
+        persist-credentials: false
         # Sonar: Shallow clones should be disabled for a better relevancy of analysis.
         fetch-depth: 0
 

diff --git a/.github/workflows/verify-code-style.yml b/.github/workflows/verify-code-style.yml
@@ -36,6 +36,7 @@ jobs:
     - name: Git checkout
       uses: actions/checkout@v4
       with:
+        persist-credentials: false
         fetch-depth: 2
 
     - name: Restore tools

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,24 @@
+name: GHA Security Analysis with zizmor
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+    - main
+    - '[0-9]+.x'
+  pull_request:
+
+permissions:
+  security-events: write
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    steps:
+    - name: Git checkout
+      uses: actions/checkout@v4
+      with:
+        persist-credentials: false
+    - name: Run zizmor
+      uses: zizmorcore/[email protected]
diff --git a/zizmor.yml b/zizmor.yml
@@ -0,0 +1,5 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin