feat(security): improve GHA security (#43)

jfagoagas · andoniaf · web-flow · commit d1bf08b072ef · 2026-03-24T09:54:04.000+01:00
Co-authored-by: Andoni A. &lt;14891798+andoniaf@users.noreply.github.com&gt;
diff --git a/.github/workflows/conventional-commit.yml b/.github/workflows/conventional-commit.yml
@@ -9,16 +9,18 @@ on:
       - 'edited'
       - 'synchronize'
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
   conventional-commit-check:
+    name: Check conventional commit
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
-      contents: read
       pull-requests: read
 
     steps:
diff --git a/.github/workflows/find-secrets.yml b/.github/workflows/find-secrets.yml
@@ -8,12 +8,15 @@ on:
     branches:
       - 'main'
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
 jobs:
   scan-secrets:
+    name: Scan for secrets
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
diff --git a/.github/workflows/pr-conflict-checker.yml b/.github/workflows/pr-conflict-checker.yml
@@ -10,12 +10,15 @@ on:
     branches:
       - 'main'
 
+permissions: {}
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
   cancel-in-progress: true
 
 jobs:
   check-conflicts:
+    name: Check for conflict markers
     runs-on: ubuntu-latest
     timeout-minutes: 15
     permissions:
@@ -76,15 +79,16 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
           HAS_CONFLICTS: ${{ steps.conflict-check.outputs.has_conflicts }}
+          REPO: ${{ github.repository }}
         run: |
           LABEL_NAME="has-conflicts"
 
           if [ "$HAS_CONFLICTS" = "true" ]; then
             echo "Adding conflict label to PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --add-label "$LABEL_NAME" --repo ${{ github.repository }} || true
+            gh pr edit "$PR_NUMBER" --add-label "$LABEL_NAME" --repo "$REPO" || true
           else
             echo "Removing conflict label from PR #${PR_NUMBER}..."
-            gh pr edit "$PR_NUMBER" --remove-label "$LABEL_NAME" --repo ${{ github.repository }} || true
+            gh pr edit "$PR_NUMBER" --remove-label "$LABEL_NAME" --repo "$REPO" || true
           fi
 
       - name: Find existing comment
@@ -95,7 +99,8 @@ jobs:
           comment-author: 'github-actions[bot]'
           body-includes: '<!-- conflict-checker-comment -->'
 
-      - name: Create or update comment
+
+      - name: Create or update comment # zizmor: ignore[superfluous-actions]
         uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
         with:
           comment-id: ${{ steps.find-comment.outputs.comment-id }}
diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -8,8 +8,15 @@ on:
     branches:
       - "main"
 
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build:
+    name: Lint and test (Python ${{ matrix.python-version }})
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -68,5 +75,5 @@ jobs:
       - name: Upload coverage reports to Codecov
         uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5.5.2
         with:
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ secrets.CODECOV_TOKEN }} # zizmor: ignore[secrets-outside-env]
           slug: prowler-cloud/py-pwsh-session
diff --git a/.github/workflows/pypi-release.yml b/.github/workflows/pypi-release.yml
@@ -1,24 +1,29 @@
 name: PyPI release
-permissions:
-    contents: read
-    id-token: write
 
 on:
     release:
         types: [published]
 
+permissions: {}
+
+concurrency:
+    group: ${{ github.workflow }}-${{ github.ref }}
+    cancel-in-progress: false
+
 env:
-    RELEASE_TAG: ${{ github.event.release.tag_name }}
     PYTHON_VERSION: 3.11
-    # CACHE: "poetry"
 
 jobs:
     release:
         runs-on: ubuntu-latest
+        environment: release
+        permissions:
+            contents: read
+            id-token: write
 
         name: Release py-pwsh-session to PyPI
         steps:
-            - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
               with:
                   persist-credentials: false
 
@@ -27,15 +32,13 @@ jobs:
                   pipx install poetry==2.1.1
 
             - name: Setup Python
-              uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+              uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
               with:
                   python-version: ${{ env.PYTHON_VERSION }}
-                  # cache: ${{ env.CACHE }}
 
             - name: Build package
               run: |
                   poetry build
 
             - name: Publish package to PyPI
-              run: |
-                  POETRY_PYPI_TOKEN_PYPI=${{ secrets.PYPI_API_TOKEN }} poetry publish
+              uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,52 @@
+name: "Tools: Zizmor"
+
+on:
+  push:
+    branches:
+      - "main"
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    branches:
+      - "main"
+    paths:
+      - ".github/workflows/**"
+
+permissions: {}
+
+jobs:
+  zizmor-pr:
+    name: Run zizmor (PR)
+    if: github.event_name == 'pull_request'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+        with:
+          advanced-security: "false"
+          annotations: "true"
+
+  zizmor-push:
+    name: Run zizmor (push)
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -21,6 +21,12 @@ repos:
         args: ["--autofix"]
         files: pyproject.toml
 
+  ## GITHUB ACTIONS
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor
+
   ## PYTHON
   - repo: https://github.com/myint/autoflake
     rev: v2.3.1
