Add GitHub Actions linting workflow and Dockerfile

.github/actions/context/action.yml

@@ -65,19 +65,21 @@ runs:
       env:
         # The default branch of the repository, in this case "master"
         default_branch: ${{ github.event.repository.default_branch }}
+        event_name: ${{ github.event_name }}
+        event_action: ${{ github.event.action }}
+        ref_name: ${{ github.ref_name }}
+        head_ref: ${{ github.head_ref }}
+        release_tag_name: ${{ github.event.release.tag_name }}
       shell: bash
       run: |
-        event_name="${{ github.event_name }}"
-        event_action="${{ github.event.action }}"
-
         # Stable check for if the workflow is running on the default branch
         # https://stackoverflow.com/questions/64781462/github-actions-default-branch-variable
         is_default_branch="${{ format('refs/heads/{0}', env.default_branch) == github.ref }}"
 
         # In most events, the epository refers to the head which would be the fork
         is_fork="${{ github.event.repository.fork }}"
         # Default version is the branch name
-        docker_version="${{ github.ref_name }}"
+        docker_version="${ref_name}"
 
         # This is different in a pull_request where we need to check the head explicitly
         if [[ "${{ github.event_name }}" == 'pull_request' ]]; then
@@ -87,7 +89,7 @@ runs:
           is_dependabot="${{ github.actor == 'dependabot[bot]' }}"
 
           # For PRs we need to reference the head branch
-          docker_version="${{ github.head_ref }}"
+          docker_version="${head_ref}"
 
           # If the head repository is a fork or if the PR is opened by dependabot
           # we consider the run to be a fork. Dependabot and proper forks are treated
@@ -115,7 +117,7 @@ runs:
             is_release_tag="true"
 
             # If we are releasing a tag, we tag the docker version as the git tag
-            docker_version="${{ github.event.release.tag_name }}"
+            docker_version="${release_tag_name}"
           fi
         fi
 
@@ -128,4 +130,4 @@ runs:
         echo "git_sha=${{ github.sha }}" >> $GITHUB_OUTPUT
 
         echo "event_name: $event_name"
-        cat $GITHUB_OUTPUT
+        cat "${GITHUB_OUTPUT}"

.github/actions/login-docker/action.yml

@@ -28,7 +28,7 @@ runs:
         echo "image=${{ github.repository }}" >> $GITHUB_OUTPUT
 
     - name: Login to Dockerhub
-      uses: docker/login-action@v3
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
       with:
         registry: ${{ steps.context.outputs.registry }}
         username: ${{ inputs.username }}

.github/actions/login-gar/action.yml

@@ -17,15 +17,15 @@ runs:
   steps:
     - name: get the GCP auth token
       id: gcp-auth
-      uses: google-github-actions/auth@v2
+      uses: google-github-actions/auth@140bb5113ffb6b65a7e9b937a81fa96cf5064462
       with:
         token_format: access_token
         service_account: ${{ inputs.service_account }}
         workload_identity_provider: ${{ inputs.workload_identity_provider }}
 
     - name: login to GAR
       if: steps.gcp-auth.outcome == 'success'
-      uses: docker/login-action@v3
+      uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772
       with:
         registry: ${{ inputs.registry }}
         username: oauth2accesstoken

.github/actions/pr-comment/action.yml

@@ -33,15 +33,16 @@ runs:
       shell: bash
       env:
         GH_TOKEN: ${{ inputs.github_token }}
+        repo: ${{ inputs.repo }}
+        pr_number: ${{ inputs.pr }}
+        edit_last: ${{ inputs.edit_last }}
+        body: ${{ inputs.body }}
       run: |
         # --- Input variables ---
-        repo="${{ inputs.repo }}"
-        pr_number="${{ inputs.pr }}"
-        edit_last="${{ inputs.edit_last }}"
         tmp_file=$(mktemp)
 
         cat <<'EOF' > "$tmp_file"
-        ${{ inputs.body }}
+        ${body}
         EOF
 
         args="--repo ${repo} --body-file $tmp_file --create-if-none"

.github/actions/slack-workflow-notification/action.yml

@@ -93,7 +93,12 @@ runs:
         cat "${GITHUB_OUTPUT}"
 
     - name: Notify Slack
-      uses: mozilla/addons/.github/actions/slack@main
+      # This action uses another action defined in the same repository.
+      # Github action does not support dynamic version selection so we have to pick
+      # a single version. Pinning to a commit hash is not a great idea because we have to
+      #manage multiple cascading version updates for the action and this file cannot reference
+      # it's own git hash.
+      uses: mozilla/addons/.github/actions/slack@main # zizmor: ignore[unpinned-uses]
       with:
         slack_token: ${{ inputs.slack_token }}
         method: chat.postMessage

.github/actions/slack/action.yml

@@ -70,7 +70,7 @@ runs:
 
   - name: Send Message
     if: ${{ steps.context.outputs.send_message == 'true' }}
-    uses: slackapi/slack-github-action@v2.0.0
+    uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a
     with:
       errors: true
       token: ${{ inputs.slack_token }}

.github/dependabot.yml

@@ -3,7 +3,7 @@ updates:
 - package-ecosystem: "github-actions"
   directory: "/"
   schedule:
-    interval: weekly
+    interval: daily
   open-pull-requests-limit: 99
 - package-ecosystem: pip
   directory: "/requirements"

.github/workflows/ci.yml

@@ -11,8 +11,30 @@ on:
 env:
   SLACK_CHANNEL: ${{ vars.SLACK_CHANNEL_TEST }}
 
+permissions: {}
+
 jobs:
+  test_actions:
+    permissions:
+      contents: 'read'
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        target: [actionlint, zizmor]
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run ${{ matrix.target }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: make ${{ matrix.target }}
+
   slack_action_payload:
+    permissions:
+        contents: 'read'
     runs-on: ubuntu-latest
     name: Test Slack Action ${{ matrix.name }}
     strategy:
@@ -92,6 +114,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Slack Action Payload
         id: slack
@@ -146,6 +170,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Test Slack Action: ${{ matrix.name }}"
         id: slack
@@ -155,7 +181,7 @@ jobs:
           # We explicitly don't pass the slack token so that we can test
           # If the action actually attempts to send a message. This would
           # fail and we can assert that an attempt was made to send the message.
-          # slack_token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack_token: ''
           payload: |
             channel: ${{ vars.SLACK_CHANNEL_TEST }}
             text: "Dry run is '${{ matrix.dry_run }}'"
@@ -252,6 +278,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Slack Workflow Notification
         uses: ./.github/actions/slack-workflow-notification

.github/workflows/docs.yml

@@ -11,9 +11,13 @@ on:
 env:
   docs_artifact: docs
 
+permissions: {}
+
 jobs:
   context:
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
 
     outputs:
       is_release_master: ${{ steps.context.outputs.is_release_master }}
@@ -22,14 +26,23 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - id: context
         uses: ./.github/actions/context
 
   docs_build:
+    permissions:
+      contents: 'read'
+      actions: 'write'
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v5

.github/workflows/stale.yml

@@ -9,6 +9,8 @@ on:
   schedule:
   - cron: '41 0 * * *'
 
+permissions: {}
+
 jobs:
   stale:
 
@@ -22,7 +24,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: >
           This issue has been automatically marked as stale because it has not had
-          recent activity. If you think this bug should stay open, please comment on 
+          recent activity. If you think this bug should stay open, please comment on
           the issue with further details. Thank you for your contributions.
         stale-issue-label: 'state:stale'
         days-before-stale: 180

Makefile

@@ -0,0 +1,7 @@
+.PHONY: actionlint
+actionlint: ## lint github action workflows
+	docker compose -f docker-compose.tools.yml run --rm actionlint
+
+.PHONY: zizmor
+zizmor: ## run zizmor to check for markdown linting errors
+	docker compose -f docker-compose.tools.yml run --rm zizmor ./.github

docker-compose.tools.yml

@@ -0,0 +1,18 @@
+name: test_actions
+
+services:
+  base:
+    image: scratch
+    working_dir: /workdir
+    volumes:
+      - .:/workdir
+
+  actionlint:
+    extends: base
+    image: rhysd/actionlint:1.7.7@sha256:887a259a5a534f3c4f36cb02dca341673c6089431057242cdc931e9f133147e9
+
+  zizmor:
+    extends: base
+    image: ghcr.io/zizmorcore/zizmor:latest@sha256:ecb5e81e47bdb9e61ffa26b3def736ef4a6842d25e106986fd9dc579da0c9a68
+    environment:
+      - GH_TOKEN

zizmor.yml

@@ -0,0 +1,2 @@
+rules:
+  template-injection: