Add zizmor

martincostello · martincostello · commit 2452be0fe15e · 2025-08-16T16:06:26.000+01:00
Scan GitHub Actions workflows with zizmor and fix/suppress findings.
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
@@ -32,17 +32,21 @@ jobs:
     steps:
 
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        filter: 'tree:0'
+        persist-credentials: false
+        show-progress: false
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
 
     - name: Run benchmarks
       shell: pwsh
       run: ./benchmark.ps1
 
     - name: Publish BenchmarkDotNet artifacts
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: ${{ !cancelled() }}
       with:
         name: artifacts
@@ -57,7 +61,7 @@ jobs:
         "repo-name=${repoName}" >> ${env:GITHUB_OUTPUT}
 
     - name: Publish results
-      uses: martincostello/benchmarkdotnet-results-publisher@v1
+      uses: martincostello/benchmarkdotnet-results-publisher@abcb3ce3975e1e86f06f2c04e3a4059ccdb91cc1 # v1.0.2
       with:
         branch: ${{ github.ref_name }}
         comment-on-threshold: true
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -22,6 +22,8 @@ env:
   DOTNET_SYSTEM_CONSOLE_ALLOW_ANSI_COLOR_REDIRECTION: 1
   FORCE_COLOR: 3
   NUGET_XMLDOC_MODE: skip
+  # renovate: datasource=npm depName=spectral-cli packageName=@stoplight/spectral-cli
+  SPECTRAL_CLI_VERSION: '6.15.0'
   TERM: xterm
 
 jobs:
@@ -40,13 +42,17 @@ jobs:
     steps:
 
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        filter: 'tree:0'
+        persist-credentials: false
+        show-progress: false
 
     - name: Setup .NET SDK
-      uses: actions/setup-dotnet@v4
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
 
     - name: Setup Node
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
         node-version: '22'
 
@@ -55,7 +61,7 @@ jobs:
       run: ./build.ps1
 
     - name: Install Spectral
-      run: npm install -g @stoplight/spectral-cli
+      run: npm install -g "@stoplight/spectral-cli@${SPECTRAL_CLI_VERSION}"
 
     - name: Run Spectral
       run: spectral lint "./artifacts/openapi/*" --fail-severity warn --format github-actions
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -29,17 +29,21 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        filter: 'tree:0'
+        persist-credentials: false
+        show-progress: false
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
       with:
         build-mode: none
         languages: ${{ matrix.language }}
         queries: security-and-quality
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2 # v3.29.9
       with:
         category: '/language:${{ matrix.language }}'
 
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -19,29 +19,43 @@ permissions: {}
 env:
   FORCE_COLOR: 3
   TERM: xterm
+  # renovate: datasource=github-releases depName=zizmor packageName=zizmorcore/zizmor
+  ZIZMOR_VERSION: '1.12.1'
 
 jobs:
   lint:
     runs-on: ubuntu-latest
 
     permissions:
+      actions: read
       contents: read
+      security-events: write
 
     steps:
 
     - name: Checkout code
-      uses: actions/checkout@v5
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        filter: 'tree:0'
+        persist-credentials: false
+        show-progress: false
 
     - name: Add actionlint problem matcher
       run: echo "::add-matcher::.github/actionlint-matcher.json"
 
-    - name: Lint workflows
-      uses: docker://rhysd/actionlint:1.7.7
+    - name: Lint workflows with actionlint
+      uses: docker://rhysd/actionlint:1.7.7@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9
       with:
         args: -color
 
+    - name: Lint workflows with zizmor
+      uses: zizmorcore/zizmor-action@5ca5fc7a4779c5263a3ffa0e1f693009994446d1 # v0.1.2
+      with:
+        persona: pedantic
+        version: ${{ env.ZIZMOR_VERSION }}
+
     - name: Lint markdown
-      uses: DavidAnson/markdownlint-cli2-action@v20
+      uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e # v20.0.0
       with:
         config: '.markdownlint.json'
         globs: |
