chore: lint gh actions with zizmor (#4062)

Signed-off-by: Will Murphy <willmurphyscode@users.noreply.github.com>

.github/actions/bootstrap/action.yaml

@@ -55,8 +55,11 @@ runs:
     - name: Install apt packages
       if: inputs.bootstrap-apt-packages != ''
       shell: bash
+      env:
+        APT_PACKAGES: ${{ inputs.bootstrap-apt-packages }}
       run: |
-        DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y ${{ inputs.bootstrap-apt-packages }}
+        IFS=' ' read -ra packages <<< "$APT_PACKAGES"
+        DEBIAN_FRONTEND=noninteractive sudo apt update && sudo -E apt install -y "${packages[@]}"
 
     - name: Restore ORAS cache from github actions
       if: inputs.download-test-fixture-cache == 'true'

.github/workflows/codeql-analysis.yml

@@ -37,6 +37,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Install Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 #v5.5.0

.github/workflows/detect-schema-changes.yaml

@@ -28,9 +28,15 @@ jobs:
   label:
     name: "Label changes"
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
     steps:
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - run: python .github/scripts/labeler.py
         env:

.github/workflows/release-version-file.yaml

@@ -14,13 +14,22 @@ on:
         type: string
         description: release version to update the version file with (prefixed with v)
         required: true
+    secrets:
+      TOOLBOX_AWS_ACCESS_KEY_ID:
+        required: true
+      TOOLBOX_AWS_SECRET_ACCESS_KEY:
+        required: true
 
 jobs:
 
   release:
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Update version file
         run: make ci-release-version-file

.github/workflows/release.yaml

@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Check if running on main
         if: github.ref != 'refs/heads/main'
@@ -28,8 +30,10 @@ jobs:
       - name: Check if tag already exists
         # note: this will fail if the tag already exists
         run: |
-          [[ "${{ github.event.inputs.version }}" == v* ]] || (echo "version '${{ github.event.inputs.version }}' does not have a 'v' prefix" && exit 1)
-          git tag ${{ github.event.inputs.version }}
+          [[ "$VERSION" == v* ]] || (echo "version '$VERSION' does not have a 'v' prefix" && exit 1)
+          git tag "$VERSION"
+        env:
+          VERSION: ${{ github.event.inputs.version }}
 
       - name: Check static analysis results
         uses: fountainhead/action-wait-for-check@5a908a24814494009c4bb27c242ea38c93c593be # v1.2.0
@@ -87,13 +91,20 @@ jobs:
 
       - name: Quality gate
         if: steps.static-analysis.outputs.conclusion != 'success' || steps.unit.outputs.conclusion != 'success' || steps.integration.outputs.conclusion != 'success' || steps.cli-linux.outputs.conclusion != 'success' || steps.acceptance-linux.outputs.conclusion != 'success' || steps.acceptance-mac.outputs.conclusion != 'success'
+        env:
+          STATIC_ANALYSIS_STATUS: ${{ steps.static-analysis.conclusion }}
+          UNIT_TEST_STATUS: ${{ steps.unit.outputs.conclusion }}
+          INTEGRATION_TEST_STATUS: ${{ steps.integration.outputs.conclusion }}
+          ACCEPTANCE_LINUX_STATUS: ${{ steps.acceptance-linux.outputs.conclusion }}
+          ACCEPTANCE_MAC_STATUS: ${{ steps.acceptance-mac.outputs.conclusion }}
+          CLI_LINUX_STATUS: ${{ steps.cli-linux.outputs.conclusion }}
         run: |
-          echo "Static Analysis Status: ${{ steps.static-analysis.conclusion }}"
-          echo "Unit Test Status: ${{ steps.unit.outputs.conclusion }}"
-          echo "Integration Test Status: ${{ steps.integration.outputs.conclusion }}"
-          echo "Acceptance Test (Linux) Status: ${{ steps.acceptance-linux.outputs.conclusion }}"
-          echo "Acceptance Test (Mac) Status: ${{ steps.acceptance-mac.outputs.conclusion }}"
-          echo "CLI Test (Linux) Status: ${{ steps.cli-linux.outputs.conclusion }}"
+          echo "Static Analysis Status: $STATIC_ANALYSIS_STATUS"
+          echo "Unit Test Status: $UNIT_TEST_STATUS"
+          echo "Integration Test Status: $INTEGRATION_TEST_STATUS"
+          echo "Acceptance Test (Linux) Status: $ACCEPTANCE_LINUX_STATUS"
+          echo "Acceptance Test (Mac) Status: $ACCEPTANCE_MAC_STATUS"
+          echo "CLI Test (Linux) Status: $CLI_LINUX_STATUS"
           false
 
   release:
@@ -108,6 +119,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -129,10 +141,11 @@ jobs:
         run: |
           git config --global user.name "anchoreci"
           git config --global user.email "anchoreci@users.noreply.github.com"
-          git tag -a ${{ github.event.inputs.version }} -m "Release ${{ github.event.inputs.version }}"
+          git tag -a "$VERSION" -m "Release $VERSION"
           git push origin --tags
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ github.event.inputs.version }}
 
       - name: Build & publish release artifacts
         run: make ci-release
@@ -169,4 +182,6 @@ jobs:
     uses: ./.github/workflows/release-version-file.yaml
     with:
       version: ${{ github.event.inputs.version }}
-    secrets: inherit
+    secrets:
+      TOOLBOX_AWS_ACCESS_KEY_ID: ${{ secrets.TOOLBOX_AWS_ACCESS_KEY_ID }}
+      TOOLBOX_AWS_SECRET_ACCESS_KEY: ${{ secrets.TOOLBOX_AWS_SECRET_ACCESS_KEY }}

.github/workflows/remove-awaiting-response-label.yaml

@@ -6,6 +6,10 @@ on:
 
 jobs:
   run:
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
     uses: "anchore/workflows/.github/workflows/remove-awaiting-response-label.yaml@main"
     secrets:
       token: ${{ secrets.OSS_PROJECT_GH_TOKEN }}

.github/workflows/test-fixture-cache-publish.yaml

@@ -20,6 +20,8 @@ jobs:
       packages: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -34,7 +36,9 @@ jobs:
           DOWNLOAD_TEST_FIXTURE_CACHE: "false"
 
       - name: Login to GitHub Container Registry (ORAS)
-        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u ${{ github.actor }} --password-stdin
+        run: echo "${{ secrets.GITHUB_TOKEN }}" | .tool/oras login ghcr.io -u "$ACTOR" --password-stdin
+        env:
+          ACTOR: ${{ github.actor }}
 
       - name: Publish test fixture cache
         run: make upload-test-fixture-cache

.github/workflows/update-anchore-dependencies.yml

@@ -16,6 +16,8 @@ jobs:
     if: github.repository_owner == 'anchore' # only run for main repo (not forks)
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap

.github/workflows/update-bootstrap-tools.yml

@@ -14,6 +14,8 @@ jobs:
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap

.github/workflows/update-cpe-dictionary-index.yml

@@ -17,6 +17,8 @@ jobs:
     if: github.repository == 'anchore/syft' # only run for main repo
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap

.github/workflows/validate-github-actions.yaml

@@ -0,0 +1,35 @@
+name: "Validate GitHub Actions"
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+  push:
+    branches:
+      - main
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: "Lint"
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write  # for uploading SARIF results
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run zizmor"
+        uses: zizmorcore/zizmor-action@f52a838cfabf134edcbaa7c8b3677dde20045018 # v0.1.1
+        with:
+          config-file: .github/zizmor.yml
+          sarif-upload: true
+          inputs: .github

.github/workflows/validations.yaml

@@ -18,6 +18,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -33,6 +35,8 @@ jobs:
     runs-on: ubuntu-22.04-4core-16gb
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -49,6 +53,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -67,6 +73,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -100,6 +108,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -155,6 +165,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -198,9 +210,11 @@ jobs:
     runs-on: macos-latest
     steps:
       - name: Install Cosign
-        uses: sigstore/cosign-installer@v3.9.1
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -238,6 +252,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Bootstrap environment
         uses: ./.github/actions/bootstrap
@@ -276,6 +292,8 @@ jobs:
       - Upload-Snapshot-Artifacts
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Delete snapshot cache
         run: gh cache delete "snapshot-build-${{ github.run_id }}"

.github/zizmor.yml

@@ -0,0 +1,11 @@
+rules:
+  unpinned-uses:
+    ignore:
+      # Allow unpinned uses of trusted internal anchore/workflows actions
+      - update-anchore-dependencies.yml
+
+  dangerous-triggers:
+    ignore:
+      # Safe use of pull_request_target - only runs trusted scripts from base repo,
+      # never checks out PR code, needs secrets for labeling PRs from forks
+      - detect-schema-changes.yaml