feat(zizmor): Add Zizmor static analysis and update all rules to pass

Author: bkochendorfer

.github/workflows/diff-rendered-charts.yml

@@ -23,13 +23,16 @@ jobs:
         uses: actions/checkout@v4
         with:
          fetch-depth: '100'
+         persist-credentials: false
 
       - name: find changed helm charts
         id: find_changed_charts
         run: |
-          git fetch origin ${{ github.base_ref }}:${{ github.base_ref }}
-          echo matrix_changed_charts=$(git diff --name-only ${{ github.base_ref }}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq | jq -R 'split("\n")' | jq -s 'flatten(1)') >> $GITHUB_OUTPUT
-          echo changed_charts=$(git diff --name-only ${{ github.base_ref }}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq) >> $GITHUB_OUTPUT
+          git fetch origin ${GITHUB_BASE_REF}:${GITHUB_BASE_REF}
+          echo matrix_changed_charts=$(git diff --name-only ${GITHUB_BASE_REF}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq | jq -R 'split("\n")' | jq -s 'flatten(1)') >> $GITHUB_OUTPUT
+          echo changed_charts=$(git diff --name-only ${GITHUB_BASE_REF}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq) >> $GITHUB_OUTPUT
+        env:
+          GITHUB_BASE_REF: ${{ github.base_ref }}
 
   render_head_ref_charts:
     runs-on: ubuntu-latest
@@ -40,24 +43,28 @@ jobs:
     steps:
       - name: checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: setup helm
-        uses: azure/setup-helm@v4.0.0
+        uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
 
       - name: render ${{ matrix.chart }} from head ref
         id: render_head
         run: |
           mkdir -p shared/head-charts
-          git fetch origin "$HEAD_REF"
-          git checkout  "$HEAD_REF" --
-          if [ -f "${{ matrix.chart }}/Chart.yaml" ]; then
-            helm dependency update "${{ matrix.chart }}"
-            values_files="${{ matrix.chart }}"/values-*
+          git fetch origin "${HEAD_REF}"
+          git checkout "${HEAD_REF}" --
+          if [ -f "${MATRIX_CHART}/Chart.yaml" ]; then
+            helm dependency update "${MATRIX_CHART}"
+            values_files="${MATRIX_CHART}"/values-*
             for values_file in $(basename -a $values_files); do
-              helm template "${{ matrix.chart }}" -f "${{ matrix.chart }}/values.yaml" -f "${{ matrix.chart }}/${values_file}" --output-dir "shared/head-charts/${{ matrix.chart }}/${values_file}"
+              helm template "${MATRIX_CHART}" -f "${MATRIX_CHART}/values.yaml" -f "${MATRIX_CHART}/${values_file}" --output-dir "shared/head-charts/${MATRIX_CHART}/${values_file}"
             done
           fi
-          echo sanitized_name=$(echo "${{ matrix.chart }}" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+          echo sanitized_name=$(echo "${MATRIX_CHART}" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+        env:
+          MATRIX_CHART: ${{ matrix.chart }}
       - name: upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -73,24 +80,30 @@ jobs:
     steps:
       - name: checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: setup helm
-        uses: azure/setup-helm@v4.0.0
+        uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
 
       - name: render ${{ matrix.chart }} from base ref
         id: render_base
         run: |
           mkdir -p shared/base-charts
-          git fetch origin ${{ github.base_ref }}
-          git checkout  ${{ github.base_ref }} --
-          if [ -f "${{ matrix.chart }}/Chart.yaml" ]; then
-            helm dependency update "${{ matrix.chart }}"
-            values_files="${{ matrix.chart }}"/values-*
+          git fetch origin $GITHUB_BASE_REF
+          git checkout  $GITHUB_BASE_REF --
+          if [ -f "${MATRIX_CHART}/Chart.yaml" ]; then
+            helm dependency update "${MATRIX_CHART}"
+            values_files="${MATRIX_CHART}"/values-*
             for values_file in $(basename -a $values_files); do
-              helm template "${{ matrix.chart }}" -f "${{ matrix.chart }}/values.yaml" -f "${{ matrix.chart }}/${values_file}" --output-dir "shared/base-charts/${{ matrix.chart }}/${values_file}"
+              helm template "${MATRIX_CHART}" -f "${MATRIX_CHART}/values.yaml" -f "${MATRIX_CHART}/${values_file}" --output-dir "shared/base-charts/${MATRIX_CHART}/${values_file}"
             done
           fi
-          echo sanitized_name=$(echo "${{ matrix.chart }}" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+          echo sanitized_name=$(echo "${MATRIX_CHART}" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+        env:
+          MATRIX_CHART: ${{ matrix.chart }}
+          GITHUB_BASE_REF: "${{ github.base_ref }}"
+
       - name: upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -105,7 +118,7 @@ jobs:
       - render_head_ref_charts
     steps:
       - name: setup helm
-        uses: azure/setup-helm@v4.0.0
+        uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
 
       - name: download artifacts
         uses: actions/download-artifact@v4
@@ -117,12 +130,14 @@ jobs:
       - name: diff helm charts
         id: diff_helm_charts
         run: |
-          for chart in ${{ needs.get_changed_helm_charts.outputs.charts }}; do
+          for chart in ${CHARTS}; do
             chart_diff_output=$(diff -r "shared/base-charts/${chart}" "shared/head-charts/${chart}" || true)
             if [ -n "$chart_diff_output" ]; then
               echo -e "Changes found in chart: ${chart}\n$(diff -ruN shared/base-charts/${chart} shared/head-charts/${chart})\n" >> diff.log
             fi
           done
+        env:
+          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
       - name: post diff as comment on pull request
         if: needs.get_changed_helm_charts.outputs.charts != ''
         uses: actions/github-script@v7

.github/workflows/release.yaml

@@ -10,12 +10,15 @@ jobs:
     name: release
     runs-on:
       - ubuntu-latest
+    permissions:
+      contents: write
 
     steps:
       - name: checkout
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: setup node.js
         uses: actions/setup-node@v4

.github/workflows/validate-k8s-manifests.yml

@@ -27,13 +27,16 @@ jobs:
         uses: actions/checkout@v4
         with:
          fetch-depth: '100'
+         persist-credentials: false
 
       - name: find changed helm charts
         id: find_changed_charts
         run: |
-          git fetch origin ${{ github.base_ref }}:${{ github.base_ref }}
-          echo matrix_changed_charts=$(git diff --name-only ${{ github.base_ref }}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq | jq -R 'split("\n")' | jq -s 'flatten(1)') >> $GITHUB_OUTPUT
-          echo changed_charts=$(git diff --name-only ${{ github.base_ref }}...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq) >> $GITHUB_OUTPUT
+          git fetch origin $GITHUB_BASE_REF:$GITHUB_BASE_REF
+          echo matrix_changed_charts=$(git diff --name-only $GITHUB_BASE_REF...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq | jq -R 'split("\n")' | jq -s 'flatten(1)') >> $GITHUB_OUTPUT
+          echo changed_charts=$(git diff --name-only $GITHUB_BASE_REF...HEAD -- '**/k8s/**/*.yaml' '**/k8s/**/*.yml' '**/k8s/**/*.tpl' '**/k8s/**/*.tmpl' | cut -d'/' -f1,2,3 | uniq) >> $GITHUB_OUTPUT
+        env:
+          GITHUB_BASE_REF: ${{ github.base_ref }}
 
   render_head_ref_charts:
     runs-on: ubuntu-latest
@@ -44,25 +47,30 @@ jobs:
     steps:
       - name: checkout repository
         uses: actions/checkout@v4
+        with:
+         persist-credentials: false
 
       - name: setup helm
-        uses: azure/setup-helm@v4.0.0
+        uses: azure/setup-helm@29960d0f5f19214b88e1d9ba750a9914ab0f1a2f #v4.0.0
 
       - name: render ${{ matrix.chart }} from head ref
         id: render_head
         run: |
           mkdir -p shared/head-charts
           git fetch origin "$HEAD_REF"
           git checkout  "$HEAD_REF" --
-          if [ -f "${{ matrix.chart }}/Chart.yaml" ]; then
-            helm dependency update "${{ matrix.chart }}"
-            values_files="${{ matrix.chart }}"/values-*
+          if [ -f "$MATRIX_CHART/Chart.yaml" ]; then
+            helm dependency update "$MATRIX_CHART"
+            values_files="$MATRIX_CHART"/values-*
             for values_file in $(basename -a $values_files); do
               env_name=$(basename "$values_file" | sed -E 's/^values-(.+)\.ya?ml$/\1/')
-              helm template $(basename -a "${{ matrix.chart }}") "${{ matrix.chart }}" -f "${{ matrix.chart }}/values.yaml" -f "${{ matrix.chart }}/${values_file}" --output-dir "shared/charts/${{ matrix.chart }}/${env_name}"
+              helm template $(basename -a "$MATRIX_CHART") "$MATRIX_CHART" -f "$MATRIX_CHART/values.yaml" -f "$MATRIX_CHART/${values_file}" --output-dir "shared/charts/$MATRIX_CHART/${env_name}"
             done
           fi
-          echo sanitized_name=$(echo "${{ matrix.chart }}" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+          echo sanitized_name=$(echo "$MATRIX_CHART" | sed 's/\//-/g') >> $GITHUB_OUTPUT
+        env:
+          MATRIX_CHART: ${{ matrix.chart }}
+
       - name: upload artifact
         uses: actions/upload-artifact@v4
         with:
@@ -104,10 +112,9 @@ jobs:
         run: |
           set -eo pipefail
 
-          charts="${{ needs.get_changed_helm_charts.outputs.charts }}"
           exit_code=0
 
-          for chart in $charts; do
+          for chart in $CHARTS; do
             echo "Validating ${chart}..."
 
             if [ -d "shared/charts/${chart}" ]; then
@@ -126,6 +133,8 @@ jobs:
           done
 
           echo "kubeconform_exit_code=$exit_code" >> $GITHUB_OUTPUT
+        env:
+          CHARTS: ${{ needs.get_changed_helm_charts.outputs.charts }}
 
       - name: minimize previous kubeconform comments
         uses: actions/github-script@v7
@@ -227,4 +236,6 @@ jobs:
       - name: fail workflow if kubeconform validation fails
         run: |
           # We want this workflow to fail if kubeconform validation fails, but after posting the comment
-          exit ${{ steps.validate_k8s_manifests.outputs.kubeconform_exit_code }}
+          exit ${EXIT_CODE}
+        env:
+          EXIT_CODE: ${{ steps.validate_k8s_manifests.outputs.kubeconform_exit_code }}

.github/workflows/zizmor.yml

@@ -0,0 +1,29 @@
+# https://github.com/woodruffw/zizmor
+name: GitHub Actions Security Analysis with Zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["*"]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Zizmor latest via Cargo
+    runs-on: ubuntu-latest
+    steps:
+      - name: Clone Repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - run: python -m pip install zizmor
+        shell: bash
+      - name: Run zizmor
+        run: zizmor .

deploy/action.yaml

@@ -84,20 +84,25 @@ runs:
       name: deployment service account
       shell: bash
       run: |
-        if [[ "${{ inputs.project_id }}" == "" ]]; then
-        echo "SERVICE_ACCOUNT=deploy-${{ inputs.env_name }}@moz-fx-${{ inputs.app_name }}-${{ inputs.realm_name }}.iam.gserviceaccount.com" >> $GITHUB_OUTPUT
+        if [[ "$PROJECT_ID" == "" ]]; then
+        echo "SERVICE_ACCOUNT=deploy-$ENV_NAME@moz-fx-$APP_NAME-$REALM_NAME.iam.gserviceaccount.com" >> $GITHUB_OUTPUT
         else
-        echo "SERVICE_ACCOUNT=deploy-${{ inputs.env_name }}@${{ inputs.project_id }}.iam.gserviceaccount.com" >> $GITHUB_OUTPUT
+        echo "SERVICE_ACCOUNT=deploy-$ENV_NAME@$PROJECT_ID.iam.gserviceaccount.com" >> $GITHUB_OUTPUT
         fi
+      env:
+        PROJECT_ID: ${{ inputs.project_id }}
+        REALM: ${{ inputs.realm_name }}
+        APP_NAME: ${{ inputs.app_name }}
+        ENV_NAME: ${{ inputs.env_name }}
 
     - name: gcp authentication
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f #v2
       with:
         service_account: ${{ steps.deployment_service_account.outputs.SERVICE_ACCOUNT }}
         workload_identity_provider: projects/${{ inputs.workload_identity_pool_project_number }}/locations/global/workloadIdentityPools/github-actions/providers/github-actions
 
     - name: get gke credentials
-      uses: google-github-actions/get-gke-credentials@v2
+      uses: google-github-actions/get-gke-credentials@9025e8f90f2d8e0c3dafc3128cc705a26d992a6a #v2
       with:
         cluster_name: ${{ inputs.k8s_cluster_name }}
         location: ${{ inputs.k8s_cluster_location }}
@@ -107,63 +112,92 @@ runs:
       id: helm_values
       shell: bash
       run: |
-        if [[ "${{ inputs.helm_value_files }}" == "" ]]; then
-          echo "FILES=-f values-${{ inputs.env_name }}.yaml" >> $GITHUB_OUTPUT
+        if [[ "${HELM_VALUE_FILES}" == "" ]]; then
+          echo "FILES=-f values-${ENV_NAME}.yaml" >> $GITHUB_OUTPUT
         else
-          echo "FILES=${{ inputs.helm_value_files }}" >> $GITHUB_OUTPUT
+          echo "FILES=${HELM_VALUE_FILES}" >> $GITHUB_OUTPUT
         fi
+      env:
+        ENV_NAME: ${{ inputs.env_name }}
+        HELM_VALUE_FILES: ${{ inputs.helm_value_files }}
 
     - name: helm version
       shell: bash
       run: helm version
 
     - name: helm list
       shell: bash
-      run: helm list -n ${{ inputs.app_name }}-${{ inputs.env_name }} -a
+      run: helm list -n ${APP_NAME}-${ENV_NAME} -a
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        ENV_NAME: ${{ inputs.env_name }}
 
     # Workaround for --dependency-update flag failing to update OCI packaged charts
     - name: helm dependency update
       shell: bash
-      working-directory: infra_repo/${{ inputs.helm_chart_path }}
+      working-directory: infra_repo/${HELM_CHART_PATH}
       run: helm dependency update
+      env:
+        HELM_CHART_PATH: ${{ inputs.helm_chart_path }}
 
     # FIXME
     # - Look at adding --atomic or --wait as flags
     - name: helm install
       shell: bash
-      working-directory: infra_repo/${{ inputs.helm_chart_path }}
+      working-directory: infra_repo/${HELM_CHART_PATH}
       run: |
-        helm upgrade ${{ inputs.helm_release_name }} .              \
+        helm upgrade ${HELM_RELEASE_NAME} .                         \
         --install                                                   \
         --dependency-update                                         \
-        --namespace ${{ inputs.app_name }}-${{ inputs.env_name }}   \
-        ${{ steps.helm_values.outputs.FILES }}                      \
-        --set ${{ inputs.tag_value_path }}=${{ inputs.image_tag }}  \
-        --timeout ${{ inputs.helm_timeout }}                        \
-        ${{ inputs.helm_values }}
+        --namespace ${APP_NAME}-${ENV_NAME}                         \
+        ${VALUES}                                                   \
+        --set ${TAG_VALUE_PATH}=${IMAGE_TAG}                        \
+        --timeout ${HELM_TIMEOUT}                                   \
+        ${HELM_VALUES}
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        ENV_NAME: ${{ inputs.env_name }}
+        HELM_CHART_PATH: ${{ inputs.helm_chart_path }}
+        HELM_RELEASE_NAME: ${{ inputs.helm_release_name }}
+        HELM_TIMEOUT: ${{ inputs.helm_timeout }}
+        HELM_VALUES: ${{ inputs.helm_values }}
+        IMAGE_TAG: ${{ inputs.image_tag }}
+        TAG_VALUE_PATH: ${{ inputs.tag_value_path }}
+        VALUES: ${{ steps.helm_values.outputs.FILES }}
 
     # List installed charts after upgrade
     - name: helm list
       if: always()
       shell: bash
-      run: helm list -n ${{ inputs.app_name }}-${{ inputs.env_name }} -a
+      run: helm list -n ${APP_NAME}-${ENV_NAME} -a
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        ENV_NAME: ${{ inputs.env_name }}
 
     - name: helm app version
       if: always()
       id: helm_app_version
       shell: bash
       run: |
         helm list \
-        --filter ${{ inputs.helm_release_name }} \
-        --namespace ${{ inputs.app_name }}-${{ inputs.env_name }}   \
+        --filter ${HELM_RELEASE_NAME} \
+        --namespace ${APP_NAME}-${ENV_NAME}   \
         --no-headers | awk '{printf "deployed_chart_app_version=%s",$10}' | tee $GITHUB_OUTPUT
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        ENV_NAME: ${{ inputs.env_name }}
+        HELM_RELEASE_NAME: ${{ inputs.helm_release_name }}
 
     - name: helm chart version
       if: always()
       id: helm_chart_version
       shell: bash
       run: |
         helm list \
-        --filter ${{ inputs.helm_release_name }} \
-        --namespace ${{ inputs.app_name }}-${{ inputs.env_name }}   \
+        --filter ${HELM_RELEASE_NAME} \
+        --namespace ${APP_NAME}-${ENV_NAME}   \
         --no-headers | awk '{printf "deployed_chart_version=%s",$9}' | tee $GITHUB_OUTPUT
+      env:
+        APP_NAME: ${{ inputs.app_name }}
+        ENV_NAME: ${{ inputs.env_name }}
+        HELM_RELEASE_NAME: ${{ inputs.helm_release_name }}