ci: Integrate zizmor checks to repo (#818)

MaxymVlasov · yermulnik · web-flow · commit 7f976b531028 · 2025-06-06T01:02:39.000+03:00
That PR integrate one more static analysis tool, as CodeQL is good, but it not cover all cases Here is an article about zizmor value - https://blog.yossarian.net/2024/12/06/zizmor-ultralytics-injection zizmor repo - https://github.com/woodruffw/zizmor --------- Co-authored-by: George L. Yermulnik <yz@yz.kiev.ua>
diff --git a/.github/workflows/build-image-test.yaml b/.github/workflows/build-image-test.yaml
@@ -36,6 +36,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Get changed Docker related files
       id: changed-files-specific
diff --git a/.github/workflows/build-image.yaml b/.github/workflows/build-image.yaml
@@ -21,6 +21,9 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
+
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2  # v3.10.0
     - name: Login to GitHub Container Registry
@@ -30,10 +33,13 @@ jobs:
         username: ${{ github.repository_owner }}
         password: ${{ secrets.GITHUB_TOKEN }}
     - name: Set tag for image
+      env:
+        REF_TYPE: ${{ github.ref_type }}
+        REF_NAME: ${{ github.ref_name }}
       run: >-
         echo IMAGE_TAG=$(
-        [ ${{ github.ref_type }} == 'tag' ]
-        && echo ${{ github.ref_name }}
+        [ $REF_TYPE == 'tag' ]
+        && echo $REF_NAME
         || echo 'latest'
         ) >> $GITHUB_ENV
 
diff --git a/.github/workflows/ci-cd.yml b/.github/workflows/ci-cd.yml
@@ -10,6 +10,9 @@ on:
     - pre-commit-ci-update-config  # pre-commit.ci always creates a PR
   pull_request:
   workflow_call:  # a way to embed the main tests
+    secrets:
+      CODECOV_TOKEN:
+        required: true
 
 permissions:
   contents: read
@@ -112,6 +115,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: >-
         Calculate Python interpreter version hash value
         for use in the cache key
@@ -208,6 +212,8 @@ jobs:
             )
     - name: Set the target Git tag
       id: git-tag
+      env:
+        DIST_VERSION: ${{ steps.scm-version.outputs.dist-version }}
       run: |
         from os import environ
         from pathlib import Path
@@ -218,13 +224,13 @@ jobs:
                 mode=FILE_APPEND_MODE,
         ) as outputs_file:
             print(
-                "tag=v${{
-                    steps.scm-version.outputs.dist-version
-                }}",
+                f"tag=v{environ['DIST_VERSION'].removeprefix('v')}",
                 file=outputs_file,
             )
     - name: Set the expected dist artifact names
       id: artifact-name
+      env:
+        DIST_VERSION: ${{ steps.scm-version.outputs.dist-version }}
       run: |
         from os import environ
         from pathlib import Path
@@ -238,15 +244,11 @@ jobs:
                 mode=FILE_APPEND_MODE,
         ) as outputs_file:
             print(
-                f"sdist={sdist_file_prj_base_name !s}-${{
-                    steps.scm-version.outputs.dist-version
-                }}.tar.gz",
+                f"sdist={sdist_file_prj_base_name !s}-{environ['DIST_VERSION']}.tar.gz",
                 file=outputs_file,
             )
             print(
-                f"wheel={whl_file_prj_base_name !s}-${{
-                    steps.scm-version.outputs.dist-version
-                }}-py3-none-any.whl",
+                f"wheel={whl_file_prj_base_name !s}-{environ['DIST_VERSION']}-py3-none-any.whl",
                 file=outputs_file,
             )
 
@@ -268,7 +270,8 @@ jobs:
 
     env:
       TOXENV: cleanup-dists,build-dists
-
+      SDIST_ARTIFACT_NAME: ${{ needs.pre-setup.outputs.sdist-artifact-name }}
+      WHEEL_ARTIFACT_NAME: ${{ needs.pre-setup.outputs.wheel-artifact-name }}
     outputs:
       dists-base64-hash: ${{ steps.dist-hashes.outputs.combined-hash }}
 
@@ -282,6 +285,7 @@ jobs:
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: >-
         Calculate Python interpreter version hash value
@@ -357,19 +361,13 @@ jobs:
         --quiet
     - name: Verify that the artifacts with expected names got created
       run: >-
-        ls -1
-        'dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}'
-        'dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}'
+        ls -1 "dist/${SDIST_ARTIFACT_NAME}" "dist/${WHEEL_ARTIFACT_NAME}"
     - name: Generate dist hashes to be used for provenance
       id: dist-hashes
       run: >-
         echo "combined-hash=$(
-        sha256sum
-        '${{ needs.pre-setup.outputs.sdist-artifact-name }}'
-        '${{ needs.pre-setup.outputs.wheel-artifact-name }}'
-        | base64 -w0
-        )"
-        >> "${GITHUB_OUTPUT}"
+        sha256sum "$SDIST_ARTIFACT_NAME" "$WHEEL_ARTIFACT_NAME" | base64 -w0
+        )" >> $GITHUB_OUTPUT
       working-directory: dist
     - name: Store the distribution packages
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
@@ -386,7 +384,7 @@ jobs:
         retention-days: 30
 
   lint:
-    name: 🧹 Linters${{ '' }}  # nest jobs under the same sidebar category
+    name: 🧹 Linters${{ '' }}  # Group jobs in sidebar # zizmor: ignore[obfuscation]
     needs:
     - build
     - pre-setup  # transitive, for accessing settings
@@ -444,7 +442,7 @@ jobs:
       codecov-token: ${{ secrets.CODECOV_TOKEN }}
 
   tests:
-    name: 🧪 Tests${{ '' }}  # nest jobs under the same sidebar category
+    name: 🧪 Tests${{ '' }}  # Group jobs in sidebar # zizmor: ignore[obfuscation]
     needs:
     - build
     - pre-setup  # transitive, for accessing settings
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -44,6 +44,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -22,5 +22,8 @@ jobs:
     steps:
     - name: Checkout Repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
+
     - name: Dependency Review
       uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9  # v4.7.1
diff --git a/.github/workflows/pr-title.yml b/.github/workflows/pr-title.yml
@@ -1,7 +1,7 @@
 name: Validate PR title
 
 on:
-  pull_request_target:
+  pull_request:
     types:
     - opened
     - edited
diff --git a/.github/workflows/pre-commit.yaml b/.github/workflows/pre-commit.yaml
@@ -14,17 +14,20 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        persist-credentials: false
     - run: >-
         git fetch --no-tags --prune --depth=1 origin
         +refs/heads/*:refs/remotes/origin/*
 
     - name: Get changed files
       id: file_changes
+      env:
+        BASE_REF: ${{ github.base_ref }}
+        SHA: ${{ github.sha }}
       run: |
-        export DIFF=$(git diff --name-only origin/${{ github.base_ref }} ${{
-          github.sha
-        }})
-        echo "Diff between ${{ github.base_ref }} and ${{ github.sha }}"
+        export DIFF=$(git diff --name-only "origin/$BASE_REF" "$SHA")
+        echo "Diff between $BASE_REF and $SHA"
         echo "files=$( echo "$DIFF" | xargs echo )" >> $GITHUB_OUTPUT
 
     - name: Install shfmt
@@ -48,10 +51,11 @@ jobs:
         )"
         > hadolint
         && chmod +x hadolint && sudo mv hadolint /usr/bin/
-     # Needed for pre-commit fix push to succeed
+    # Needed for pre-commit fix push to succeed
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
         ref: ${{ github.event.pull_request.head.sha }}
         # Needed to trigger pre-commit workflow on autofix commit. Guide:
         # https://web.archive.org/web/20210731173012/https://github.community/t/required-check-is-expected-after-automated-push/187545/
diff --git a/.github/workflows/reusable-tox.yml b/.github/workflows/reusable-tox.yml
@@ -150,9 +150,10 @@ jobs:
     steps:
     - name: Export requested job-global environment variables
       if: inputs.environment-variables != ''
+      env:
+        INPUT_ENV_VARS: ${{ inputs.environment-variables }}
       run: >-
-        echo '${{ inputs.environment-variables }}'
-        >> "${GITHUB_ENV}"
+        echo "$INPUT_ENV_VARS" >> $GITHUB_ENV
 
     - name: >-
         Switch to using Python v${{ inputs.python-version }}
@@ -170,6 +171,7 @@ jobs:
         contains(fromJSON('["pre-commit", "spellcheck-docs"]'), inputs.toxenv)
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ github.event.inputs.release-committish }}
     - name: Retrieve the project source from an sdist inside the GHA artifact
       if: >-
@@ -273,18 +275,24 @@ jobs:
 
     - name: >-
         Pre-populate tox envs: `${{ env.TOXENV }}`
-      run: >-
-        python -Im
-        tox
-        --parallel auto
-        --parallel-live
-        --skip-missing-interpreters false
-        ${{
-          inputs.built-wheel-names != ''
-          && format('--installpkg dist/{0}', inputs.built-wheel-names)
-          || ''
-        }}
-        --notest
+      shell: bash
+      env:
+        INPUT_BUILT_WHEEL_NAMES: ${{ inputs.built-wheel-names }}
+      run: |-
+        tox_common_args=(
+          --parallel auto
+          --parallel-live
+          --skip-missing-interpreters false
+        )
+        if [[ $INPUT_BUILT_WHEEL_NAMES ]]; then
+          python -Im tox "${tox_common_args[@]}" \
+            --installpkg "dist/$INPUT_BUILT_WHEEL_NAMES" \
+            --notest
+        else
+          python -Im tox "${tox_common_args[@]}" \
+            --notest
+        fi
+
     - name: Initialize pre-commit envs if needed
       if: inputs.toxenv == 'pre-commit'
       run: >-
@@ -301,19 +309,24 @@ jobs:
     - name: >-
         Run tox envs: `${{ env.TOXENV }}`
       id: tox-run
-      run: >-
-        python -Im
-        tox
-        --parallel auto
-        --parallel-live
-        --skip-missing-interpreters false
-        --skip-pkg-install
-        --quiet
-        ${{
-          inputs.tox-run-posargs != ''
-          && format('-- {0}', inputs.tox-run-posargs)
-          || ''
-        }}
+      shell: bash
+      env:
+        INPUT_TOX_RUN_POSARGS: ${{ inputs.tox-run-posargs }}
+      run: |-
+        tox_common_args=(
+          --parallel auto
+          --parallel-live
+          --skip-missing-interpreters false
+          --skip-pkg-install
+          --quiet
+        )
+        if [ -n "$INPUT_TOX_RUN_POSARGS" ]; then
+          python -Im tox "${tox_common_args[@]}" \
+            -- "$INPUT_TOX_RUN_POSARGS"
+        else
+          python -Im tox "${tox_common_args[@]}"
+        fi
+
     # Generate nice SVG image of passed/failed tests in GHA Job Summary
     - name: Produce markdown test summary from JUnit
       if: >-
@@ -352,13 +365,15 @@ jobs:
         && steps.tox-run.outputs.test-result-files == ''
         && steps.tox-run.outputs.codecov-flags != 'MyPy'
       run: >-
-        cat code-coverage-results.md >> "${GITHUB_STEP_SUMMARY}"
+        cat code-coverage-results.md >> "$GITHUB_STEP_SUMMARY"
     - name: Re-run the failing tests with maximum verbosity
       if: >-
         !cancelled()
         && failure()
         && inputs.tox-rerun-posargs != ''
       # `exit 1` makes sure that the job remains red with flaky runs
+      env:
+        INPUT_TOX_RERUN_POSARGS: ${{ inputs.tox-rerun-posargs }}
       run: >-
         python -Im
         tox
@@ -368,7 +383,7 @@ jobs:
         -vvvvv
         --skip-pkg-install
         --
-        ${{ inputs.tox-rerun-posargs }}
+        $INPUT_TOX_RERUN_POSARGS
         && exit 1
       shell: bash
     - name: Send coverage data to Codecov
diff --git a/.github/workflows/scheduled-runs.yml b/.github/workflows/scheduled-runs.yml
@@ -37,4 +37,5 @@ jobs:
   main-ci-cd-pipeline:
     name: ∞ Main CI/CD pipeline
     uses: ./.github/workflows/ci-cd.yml
-    secrets: inherit
+    secrets:
+      CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -47,6 +47,12 @@ repos:
   hooks:
   - id: gitleaks
 
+# Github Action static analysis tool
+- repo: https://github.com/woodruffw/zizmor-pre-commit
+  rev: v1.9.0
+  hooks:
+  - id: zizmor
+
 # Dockerfile
 - repo: https://github.com/hadolint/hadolint
   rev: v2.13.1-beta
