feat(security): improve GHA security (#270)

jfagoagas · andoniaf · web-flow · commit 3853467555d5 · 2026-03-24T09:30:37.000+01:00
Co-authored-by: Andoni A. &lt;14891798+andoniaf@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -13,8 +13,12 @@ updates:
     labels:
       - "dependencies"
       - "pip"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "monthly"
     target-branch: main
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -21,6 +21,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install poetry
         run: |
@@ -68,11 +70,15 @@ jobs:
 
       - name: Safety
         run: |
-          if [ "${{ matrix.python-version }}" = "3.9" ] || [ "${{ matrix.python-version }}" = "3.10" ]; then
-            poetry run safety check --ignore 82754 --ignore 84183 --ignore 83159
-          else
-            poetry run safety check
-          fi
+          # 82754: filelock TOCTOU symlink (CVE-2025-68146), fix requires Python >=3.10
+          # 84183: filelock lock mechanism (PVE-2026-84183), fix requires Python >=3.10
+          # 83159: marshmallow data conversion (CVE-2025-68480), fix requires Python >=3.10
+          # 84415: filelock TOCTOU race condition (CVE-2026-22701), fix requires Python >=3.10
+          poetry run safety check \
+            --ignore 82754 \
+            --ignore 84183 \
+            --ignore 83159 \
+            --ignore 84415
 
       - name: Vulture
         run: |
@@ -85,5 +91,5 @@ jobs:
       - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
           slug: prowler-cloud/py-ocsf-models
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
@@ -9,18 +9,23 @@ on:
 env:
   RELEASE_TAG: ${{ github.event.release.tag_name }}
   PYTHON_VERSION: 3.11
-  # CACHE: "poetry"
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      contents: read
+      id-token: write
     env:
       POETRY_VIRTUALENVS_CREATE: "false"
 
     name: Release py-ocsf-models to PyPI
     steps:
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: |
@@ -30,13 +35,10 @@ jobs:
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          # cache: ${{ env.CACHE }}
 
       - name: Build package
         run: |
           poetry build
 
       - name: Publish package to PyPI
-        run: |
-          poetry config pypi-token.pypi ${{ secrets.PYPI_API_TOKEN }}
-          poetry publish
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,52 @@
+name: GitHub Actions Security Analysis
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - ".github/workflows/**"
+
+permissions: {}
+
+jobs:
+  zizmor-pr:
+    name: Run zizmor (PR)
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          advanced-security: "false"
+          annotations: "true"
+
+  zizmor-push:
+    name: Run zizmor (push)
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -106,3 +106,9 @@ repos:
         entry: bash -c 'vulture --exclude "contrib" --min-confidence 100 .'
         language: system
         files: '.*\.py'
+
+  ## GITHUB ACTIONS
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
