Add actionci.yml (#431)

* Add zizmor and frizbee CI checks

Add caller workflows for zizmor (security scanning) and frizbee
(action pinning verification). Fix zizmor findings where applicable
and add suppression config for intentional patterns.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add explicit permissions blocks, remove excessive-permissions ignores

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Replace zizmor line-number ignores with policies

Use unpinned-uses config.policies with org-level wildcard and
secrets-inherit disable instead of brittle per-line ignores that
break whenever workflow files change.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Disable ref-confusion audit

The ref-confusion audit crashes when workflows reference private
repos (e.g. internal-workflows, robot) because the GITHUB_TOKEN
lacks cross-repo access. Disable until zizmor supports scoping
this audit or we provide a broader token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Add security-events: write to zizmor caller workflow

The caller workflow's permissions are the ceiling for reusable
workflows. The zizmor-action needs security-events: write to
upload SARIF results to GitHub Advanced Security.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* ci: Replace separate actionlint/zizmor/frizbee with actionci.yml

Consolidate the three separate workflow files into a single actionci.yml
that calls the shared workflow from smallstep/workflows.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: tashian

.github/workflows/actionci.yml

@@ -0,0 +1,22 @@
+name: Action CI
+
+on:
+  push:
+    tags-ignore:
+    - 'v*'
+    branches:
+    - "master"
+  pull_request:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  actionci:
+    permissions:
+      contents: read
+      security-events: write
+    uses: smallstep/workflows/.github/workflows/actionci.yml@main
+    secrets: inherit

.github/workflows/actionlint.yml

@@ -2,6 +2,11 @@ on:
   schedule:
     - cron: '0 0 * * SUN'
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   code-scan:
     uses: smallstep/workflows/.github/workflows/code-scan.yml@main

.github/workflows/code-scan-cron.yml

@@ -6,6 +6,9 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: read
+
 jobs:
   ci:
     uses: smallstep/autocert/.github/workflows/ci.yml@master
@@ -14,6 +17,8 @@ jobs:
   create_release:
     name: Create Release
     needs: ci
+    permissions:
+      contents: write
     runs-on: ubuntu-latest
     env:
       INIT_DOCKER_IMAGE: smallstep/autocert-init
@@ -31,9 +36,11 @@ jobs:
     steps:
       - name: Is Pre-release
         id: is_prerelease
+        env:
+          REF: ${{ github.ref }}
         run: |
           set +e
-          echo ${{ github.ref }} | grep "\-rc.*"
+          echo "${REF}" | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"

.github/workflows/release.yml

@@ -0,0 +1,12 @@
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        "smallstep/*": ref-pin
+  secrets-inherit:
+    disable: true
+  ref-confusion:
+    disable: true
+  dangerous-triggers:
+    ignore:
+      - triage.yml