chore(ci): Move to zizmor action with stricter config (#4808)

This pull request primarily improves the security, clarity, and
maintainability of the project's GitHub Actions workflows. The most
significant changes include replacing the custom zizmor lint workflow
with the official zizmor GitHub Action, updating permissions with
explicit comments for better documentation, and upgrading action
versions for enhanced security and reliability.

Author: npalm

.github/workflows/actions.yml

@@ -18,8 +18,7 @@ jobs:
     name: Analyze (${{ matrix.language }})
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
-      # required for all workflows
-      security-events: write
+      security-events: write # required for CodeQL to upload security scan results
 
     strategy:
       fail-fast: false
@@ -39,12 +38,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5
+      uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
       with:
         languages: ${{ matrix.language }}
         build-mode: none
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.29.5
+      uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/codeql.yml

@@ -13,10 +13,11 @@ permissions: {}
 
 jobs:
   dependency-review:
+    name: Dependency vulnerability scan
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: write
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to comment on PRs
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1

.github/workflows/dependency-review.yml

@@ -13,12 +13,10 @@ permissions:
 
 jobs:
   build:
+    name: Build and test lambda functions
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node: [22]
     container:
-      image: node:${{ matrix.node }}
+      image: node:22@sha256:2bb201f33898d2c0ce638505b426f4dd038cc00e5b2b4cbba17b069f0fff1496
     defaults:
       run:
         working-directory: ./lambdas

.github/workflows/lambda.yml

@@ -7,16 +7,17 @@ on:
   push:
     branches: [ "main" ]
 
-permissions: read-all
+permissions:
+  contents: read # for actions/checkout and repository analysis
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
     permissions:
-      security-events: write
-      id-token: write
+      security-events: write # for github/codeql-action/upload-sarif to upload security scan results
+      id-token: write # for ossf/scorecard-action to generate attestations
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -48,6 +49,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93
+        uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3
         with:
           sarif_file: results.sarif

.github/workflows/ossf-scorecard.yml

@@ -14,10 +14,10 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      actions: write
-      id-token: write
-      attestations: write
+      contents: write # for release-please-action to create releases and update changelogs
+      actions: write # for release-please-action to trigger other workflows
+      id-token: write # for actions/attest-build-provenance to generate attestations
+      attestations: write # for actions/attest-build-provenance to write attestations
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -27,6 +27,7 @@ jobs:
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 22
+          package-manager-cache: false
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
@@ -63,14 +64,16 @@ jobs:
           VERSION: ${{ github.event.inputs.version }}
           TAG_NAME: ${{ steps.release.outputs.tag_name }}
           ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }}
+          REPOSITORY: ${{ github.repository }}
         run: |
           version="${VERSION}"
           tag_name="${TAG_NAME}"
           attestation_url="${ATTESTATION_URL}"
+          repository="${REPOSITORY}"
           gh release view $version --json body -q '.body' > new-release-notes.md
           echo "## Attestation" >> new-release-notes.md
           echo "Attestation url: $attestation_url" >> new-release-notes.md
-          echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
+          echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${repository}\`" >> new-release-notes.md
           gh release edit $tag_name -F new-release-notes.md -t $tag_name
       - name: Upload release assets
         if: ${{ steps.release.outputs.releases_created == 'true' }}

.github/workflows/release.yml

@@ -6,8 +6,8 @@ on:
       - edited
       - synchronize
 permissions:
-  contents: read
-  pull-requests: read
+  contents: read # for actions/checkout
+  pull-requests: read # for amannn/action-semantic-pull-request to check PR details
 jobs:
   main:
     name: Semantic Commit Message Check

.github/workflows/semantic-check.yml

@@ -3,12 +3,14 @@ on:
   schedule:
     - cron: "30 1 * * *"
   workflow_dispatch:
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
 jobs:
   stale:
+    name: Mark stale issues and PRs
     runs-on: ubuntu-latest
+    permissions:
+      issues: write # for actions/stale to close stale issues
+      pull-requests: write # for actions/stale to close stale PRs
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1

.github/workflows/stale.yml

@@ -16,7 +16,7 @@ jobs:
     name: Verify module
     strategy:
       matrix:
-        terraform: [1.5.6, "latest"]
+        terraform: ["1.5.6", "latest"]
     runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:${{ matrix.terraform }}
@@ -74,7 +74,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        terraform: [1.5.6, "latest"]
+        terraform: ["1.5.6", "latest"]
         module:
           [
             "ami-housekeeper",
@@ -132,16 +132,18 @@ jobs:
       - if: contains(matrix.terraform, '1.3.')
         name: Run TFLint
         working-directory: ${{ github.workspace }}
+        env:
+          MODULE_NAME: ${{ matrix.module }}
         run: |
-          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }}
-          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir modules/${{ matrix.module }}
+          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir "modules/${MODULE_NAME}"
+          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir "modules/${MODULE_NAME}"
 
   verify_examples:
     name: Verify examples
     strategy:
       fail-fast: false
       matrix:
-        terraform: [1.5.6, "latest"]
+        terraform: ["1.5.6", "latest"]
         example:
           [
             "default",
@@ -195,6 +197,8 @@ jobs:
       - if: contains(matrix.terraform, '1.5.')
         name: Run TFLint
         working-directory: ${{ github.workspace }}
+        env:
+          EXAMPLE_NAME: ${{ matrix.example }}
         run: |
-          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }}
-          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir examples/${{ matrix.example }}
+          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir "examples/${EXAMPLE_NAME}"
+          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir "examples/${EXAMPLE_NAME}"

.github/workflows/terraform.yml

@@ -14,8 +14,8 @@ jobs:
     name: Auto update terraform docs
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # for terraform-docs/gh-actions to commit documentation updates
+      pull-requests: write # for peter-evans/create-pull-request to create PRs with doc updates
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -61,17 +61,20 @@ jobs:
           delete-branch: true
 
   deploy-pages:
+    name: Deploy documentation to GitHub Pages
     needs: [docs]
     runs-on: ubuntu-latest
     permissions:
-      contents: write
+      contents: write # for actions/checkout and mkdocs gh-deploy to push to gh-pages branch
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Configure Git Credentials
         run: |
           git config user.name github-actions[bot]