INTPYTHON-470 Add zizmor check (#57)

Author: blink1073

.github/workflows/_lint.yml

@@ -33,7 +33,8 @@ jobs:
           - "3.12"
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:

.github/workflows/_release.yml

@@ -36,7 +36,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -91,7 +92,8 @@ jobs:
         working-directory: ${{ inputs.working-directory }}
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       # We explicitly *don't* set up caching here. This ensures our tests are
       # maximally sensitive to catching breakage.
       #
@@ -180,7 +182,7 @@ jobs:
 
       - name: Run unit tests with minimum dependency versions
         run: |
-          uv sync --python=${{ env.PYTHON_VERSION }} --resolution=lowest-direct
+          uv sync --python=${PYTHON_VERSION} --resolution=lowest-direct
           just test || git checkout uv.lock
           git checkout uv.lock
 
@@ -204,6 +206,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install uv
         uses: astral-sh/setup-uv@v5
@@ -244,7 +248,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -269,5 +274,7 @@ jobs:
           commit: main
 
       - name: Add github release url to summary
+        env:
+          RELEASE_URL: ${{ steps.create-release.outputs.html_url }}
         run: |
-          echo "GitHub Release: ${{ steps.create-release.outputs.html_url }}" >> $GITHUB_STEP_SUMMARY
+          echo "GitHub Release: ${RELEASE_URL}" >> $GITHUB_STEP_SUMMARY

.github/workflows/_test.yml

@@ -23,7 +23,8 @@ jobs:
     name: "run test #${{ matrix.python-version }}"
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:

.github/workflows/_test_release.yml

@@ -24,7 +24,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -73,7 +74,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@v4
         with:
           name: test-dist

.github/workflows/ci.yml

@@ -21,14 +21,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: '3.10'
       - id: files
         uses: Ana06/[email protected]
       - id: set-matrix
+        env:
+          FILES: ${{ steps.files.outputs.all }}
         run: |
-          python .github/scripts/check_diff.py ${{ steps.files.outputs.all }} >> $GITHUB_OUTPUT
+          python .github/scripts/check_diff.py ${FILES} >> $GITHUB_OUTPUT
     outputs:
       dirs-to-lint: ${{ steps.set-matrix.outputs.dirs-to-lint }}
       dirs-to-test: ${{ steps.set-matrix.outputs.dirs-to-test }}

.github/workflows/zizmor.yml

@@ -0,0 +1,36 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      # required for workflows in private repositories
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor