ci: fix remaining zizmor findings and add zizmor CI check

- Scope checks: write to linting job instead of workflow level in ci.yaml
- Add permissions: {} at workflow level for bump-payload-on-main,
  bump-payload-on-releases, and slash workflows
- Scope job-level permissions for bump-payload jobs (contents: write,
  pull-requests: write)
- Add zizmor GitHub Actions security analysis workflow

Resolves all high/low/info zizmor findings. Only secrets-outside-env
(medium, requires GitHub environment setup) and secrets-inherit
(chatops_retest, needs plumbing changes) remain.

Related: #3300
Signed-off-by: Vincent Demeester <vdemeest@redhat.com>

Author: vdemeester

.github/workflows/bump-payload-on-main.yaml

@@ -6,10 +6,15 @@ on:  # yamllint disable-line rule:truthy
   # Run this every week day at 1AM
   - cron: '0 1 * * 1-5'
 
+permissions: {}
+
 jobs:
   bump-payloads:
     name: "Bump payloads"
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     if: github.repository_owner == 'tektoncd'  # do not run this elsewhere
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

.github/workflows/bump-payload-on-releases.yaml

@@ -6,9 +6,12 @@ on:  # yamllint disable-line rule:truthy
   # Run this every week day at 2AM
   - cron: '0 2 * * 1-5'
 
+permissions: {}
+
 jobs:
   build-release-matrix:
     runs-on: ubuntu-latest
+    permissions: {}
     if: github.repository_owner == 'tektoncd'  # do not run this elsewhere
     steps:
     - id: set-matrix
@@ -21,6 +24,9 @@ jobs:
   bump-payloads:
     needs: build-release-matrix
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     strategy:
       matrix:
         branch: ${{ fromJSON(needs.build-release-matrix.outputs.branches) }}

.github/workflows/ci.yaml

@@ -16,7 +16,6 @@ defaults:
 
 permissions:
   contents: read
-  checks: write  # Used to annotate code in the PR
 
 jobs:
   changes:
@@ -84,6 +83,9 @@ jobs:
     needs: [changes]
     name: lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      checks: write  # Used to annotate code in the PR
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:

.github/workflows/slash.yml

@@ -23,6 +23,8 @@ on:
     types:
       - created
 
+permissions: {}
+
 jobs:
   check_comments:
     runs-on: ubuntu-latest

.github/workflows/zizmor.yaml

@@ -0,0 +1,23 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2