Enforce GHA workflow auditing/linting (#554)

caxu-rh · web-flow · commit da65a79cd713 · 2025-12-02T11:48:42.000-06:00
Signed-off-by: Caleb Xu &lt;caxu@redhat.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,6 +4,8 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 4
     ignore:
       # Automatic updates for these are disabled as they are updated manually to
       # align with platform dependencies defined at
@@ -15,6 +17,8 @@ updates:
     directory: "/.github"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 4
     groups:
       actions:
         applies-to: "version-updates"
@@ -29,3 +33,5 @@ updates:
     directory: "/scripts"
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 4
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -31,7 +31,7 @@ jobs:
               run: |
                   # Run go tests
                   make test
-                  if [[ ! -z $(git status -s) ]]
+                  if [[ -n $(git status -s) ]]
                   then
                     echo "go test - errors running go tests : $(git status -s)"
                     exit 1
diff --git a/.github/workflows/check-actions.yml b/.github/workflows/check-actions.yml
@@ -0,0 +1,25 @@
+name: Analyze GitHub Actions security
+
+on:
+  pull_request:
+    paths:
+      - '.github/**'
+
+permissions: {}
+
+jobs:
+  check-actions:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
+
+      - name: Setup Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        with:
+          go-version-file: go.mod
+
+      - name: Run Linters
+        run: make gha.lint
diff --git a/.github/workflows/functional-tests.yaml b/.github/workflows/functional-tests.yaml
@@ -86,7 +86,7 @@ jobs:
       - name: Get Date
         id: get-date
         run: |
-          echo "date=$(/bin/date -u "+%Y%m%d")" | tee -a $GITHUB_OUTPUT
+          echo "date=$(/bin/date -u "+%Y%m%d")" | tee -a "${GITHUB_OUTPUT}"
         shell: bash
 
       - uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
@@ -114,7 +114,7 @@ jobs:
           echo "Building container image using podman for the tests, tagging as ${image_tag}"
           make build-image "IMAGE_TAG=${image_tag}"
           podman build -t "quay.io/redhat-certification/chart-verifier:${image_tag}" .
-          echo "podman_image_tag=${image_tag}" | tee -a $GITHUB_OUTPUT
+          echo "podman_image_tag=${image_tag}" | tee -a "${GITHUB_OUTPUT}"
 
       - name: Create tarfile
         id: create-tarfile
@@ -130,10 +130,10 @@ jobs:
           CLUSTER_TOKEN: ${{ secrets.cluster-token }}
         run: |
           # oc login
-          API_SERVER=$( echo -n "${CLUSTER_API_SERVER}" | base64 -d)
+          API_SERVER="$( echo -n "${CLUSTER_API_SERVER}" | base64 -d)"
           gpg --version
           curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
-          if [ $GITHUB_REPOSITORY == "redhat-certification/chart-verifier" ]; then
+          if [ "${GITHUB_REPOSITORY}" == "redhat-certification/chart-verifier" ]; then
             # TODO: temporarily allow for skipping TLS verification as the new cluster uses local-only certificates
             # This if logic isn't removed to remind us to come back and swap this out when a valid cert is put in place.
             oc login --insecure-skip-tls-verify --token="${CLUSTER_TOKEN}" --server="${API_SERVER}"
diff --git a/.github/workflows/gosec.yaml b/.github/workflows/gosec.yaml
@@ -23,8 +23,7 @@ jobs:
       - name: Security scan
         shell: bash
         run: |
-            make gosec
-            if [[ $? != 0 ]]
+            if ! make gosec
             then
               echo "gosec scanner failed to run "
               exit 1
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -27,8 +27,8 @@ jobs:
         id: get_commit_id
         run: |
           # Make the short commit ID available to the following steps.
-          COMMIT_ID=$(git rev-parse --short HEAD)
-          echo "commit_id=$COMMIT_ID" | tee -a $GITHUB_OUTPUT
+          COMMIT_ID="$(git rev-parse --short HEAD)"
+          echo "commit_id=$COMMIT_ID" | tee -a "${GITHUB_OUTPUT}"
 
       - name: Build container images
         id: build_container_images
diff --git a/.github/workflows/notify-need-ok-to-test.yaml b/.github/workflows/notify-need-ok-to-test.yaml
@@ -1,7 +1,7 @@
 name: Notify ok-to-test required
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] # pull_request_target is needed to be able to comment on the pull request.
     branches: [main]
     types:
       - opened
diff --git a/.github/workflows/pr-functional-tests.yaml b/.github/workflows/pr-functional-tests.yaml
@@ -8,7 +8,7 @@ name: Pull request functional testing
 # This workflow also handles removing said label on content changes.
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] # pull_request_target is needed to be able to modify labels on the pull request and to access repository secrets.
     branches: [main]
     types:
       - opened
@@ -189,8 +189,9 @@ jobs:
         if: ${{ steps.check_version_updated.outputs.updated == 'true'}}
         run: |
           git fetch
-          export ORIGIN_MAIN_SHA=$(git rev-parse origin/main)
-          echo "origin_main_sha=$ORIGIN_MAIN_SHA" | tee -a $GITHUB_OUTPUT
+          ORIGIN_MAIN_SHA="$(git rev-parse origin/main)"
+          export ORIGIN_MAIN_SHA
+          echo "origin_main_sha=$ORIGIN_MAIN_SHA" | tee -a "${GITHUB_OUTPUT}"
 
       - name: Create release tag
         id: create_release_tag
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -59,7 +59,7 @@ jobs:
       - name: Print tag to GITHUB_OUTPUT
         id: get_tag
         run: |
-          echo "release_version=${GITHUB_REF#refs/*/}" | tee -a $GITHUB_OUTPUT
+          echo "release_version=${GITHUB_REF#refs/*/}" | tee -a "${GITHUB_OUTPUT}"
 
       - name: Build binary and make tarball
         id: build_bin
@@ -69,8 +69,9 @@ jobs:
           make bin
           TARBALL_NAME="chart-verifier-${RELEASE_VERSION}.tgz"
           tar -zcvf "$TARBALL_NAME" -C out/ chart-verifier
-          export TARBALL_PATH=$(realpath "$TARBALL_NAME")
-          echo "tarball_path=$TARBALL_PATH" | tee -a $GITHUB_OUTPUT
+          TARBALL_PATH="$(realpath "$TARBALL_NAME")"
+          export TARBALL_PATH
+          echo "tarball_path=$TARBALL_PATH" | tee -a "${GITHUB_OUTPUT}"
 
       - name: Check that the tag matches the current version
         id: check_tag_and_version
@@ -87,7 +88,7 @@ jobs:
         env:
           REPOSITORY_NAME: ${{ github.event.repository.name }}
           RELEASE_VERSION: ${{ steps.get_tag.outputs.release_version }}
-        run: echo sbom_filename="${REPOSITORY_NAME}-${RELEASE_VERSION}-sbom.spdx.json" | tee -a $GITHUB_OUTPUT
+        run: echo sbom_filename="${REPOSITORY_NAME}-${RELEASE_VERSION}-sbom.spdx.json" | tee -a "${GITHUB_OUTPUT}"
 
       - name: Generate SBOM
         continue-on-error: true
@@ -115,7 +116,7 @@ jobs:
 
       - name: Generate release body
         id: release_body
-        run: echo "release_body=$(ve1/bin/print-release-body)" | tee -a $GITHUB_OUTPUT
+        run: echo "release_body=$(ve1/bin/print-release-body)" | tee -a "${GITHUB_OUTPUT}"
 
       - name: Create tag and release
         env:
diff --git a/Makefile b/Makefile
@@ -144,6 +144,13 @@ venv.tools.always-reinstall:
 	./$(VENV_TOOLS_BIN)/pip install ./scripts
 	cd ..
 
+gha.lint: actionlint zizmor
+
+actionlint: install.actionlint
+	$(ACTIONLINT)
+
+zizmor: install.zizmor
+	$(ZIZMOR) .
 
 ### Developer Tooling Installation
 # gosec
@@ -163,12 +170,43 @@ GOLANGCI_LINT = $(shell pwd)/out/golangci-lint
 GOLANGCI_LINT_VERSION ?= v2.2.1
 install.golangci-lint: $(GOLANGCI_LINT)
 $(GOLANGCI_LINT):
-	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))\
+	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint@$(GOLANGCI_LINT_VERSION))
+
+# actionlint
+ACTIONLINT = $(shell pwd)/out/actionlint
+ACTIONLINT_VERSION ?= v1.7.0
+install.actionlint: $(ACTIONLINT)
+$(ACTIONLINT):
+	$(call go-install-tool,$(ACTIONLINT),github.com/rhysd/actionlint/cmd/actionlint@$(ACTIONLINT_VERSION))
+
+# zizmor
+ZIZMOR = $(shell pwd)/out/zizmor
+ZIZMOR_VERSION ?= v1.17.0
+ZIZMOR_ARCH = $(shell uname -m | sed 's/amd64/x86_64/g; s/arm64/aarch64/g')
+ZIZMOR_OS = $(shell uname -s | sed 's/Linux/unknown-linux-gnu/g; s/Darwin/apple-darwin/g')
+ZIZMOR_PLATFORM ?= $(ZIZMOR_ARCH)-$(ZIZMOR_OS)
+install.zizmor: $(ZIZMOR)
+$(ZIZMOR):
+	$(call github-release-install-tool,$(shell pwd)/out/zizmor.tar.gz,zizmorcore/zizmor,$(ZIZMOR_VERSION),zizmor-$(ZIZMOR_PLATFORM).tar.gz)
+	tar -xzf $(shell pwd)/out/zizmor.tar.gz -C $(shell pwd)/out ./zizmor
+	rm $(shell pwd)/out/zizmor.tar.gz
 
 # go-install-tool will 'go install' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))
 define go-install-tool
 @[ -f $(1) ] || { \
 GOBIN=$(PROJECT_DIR)/out go install $(2) ;\
 }
+endef
+
+# github-release-install-tool
+# Arguments:
+# $1 - destination path
+# $2 - GitHub repository
+# $3 - release version
+# $4 - artifact name
+define github-release-install-tool
+@[ -f $(1) ] || { \
+curl -L https://github.com/$(2)/releases/download/$(3)/$(4) -o $(1) ;\
+}
 endef
