chore: add zizmor GitHub Actions security workflow (#518)

Copilot · jkowalleck · web-flow · commit b3bbf59b67eb · 2026-05-06T10:13:30.000+02:00
### Description Adds `.github/workflows/zizmor.yml` to continuously audit all workflows in `.github/workflows/**` for security issues using [`zizmor`](https://docs.zizmor.sh). **Workflow behaviour** - **`pull_request`** (path-filtered to `.github/workflows/**`): runs on every PR touching workflow files; job fails on any findings, blocking merge - **`push`** (path-filtered to `.github/workflows/**`): runs on every push touching workflow files - **`schedule`**: weekly full scan every Saturday 00:00 UTC regardless of changes **Implementation details** - `advanced-security: false` — emits findings as workflow-command annotations (`::error file=…`) rather than uploading a SARIF report to GitHub's Security tab; produces a non-zero exit on findings (blocking). Uploading SARIF would require `security-events: write` and GitHub Advanced Security (GHAS), both of which are unnecessary here and would violate the least-privilege policy. The two modes are mutually exclusive: `advanced-security` must be `false` for `annotations` to take effect. - `annotations: true` — surfaces findings as GitHub PR annotations (up to 10 rendered inline; remainder in job log) - `persist-credentials: false` on checkout - Least-privilege: `permissions: {}` at workflow level, `contents: read` at job level only - `timeout-minutes: 10` - All action refs pinned to full commit SHAs with version comments, matching repo conventions Also fixes all zizmor findings in the existing `nodejs.yml` and `release.yml` workflows: - Added `persist-credentials: false` to all checkout steps - Updated `actions/setup-node` SHA to current v6 tag (`48b55a011bda`) - Fixed `DerLev/eslint-annotations` impostor SHA → correct v2 SHA (`a79ea65c1b45`) - Replaced `softprops/action-gh-release` with `gh release` CLI commands Resolves or fixes issue: none ### AI Tool Disclosure - [ ] My contribution does not include any AI-generated content - [x] My contribution includes AI-generated content, as disclosed below: - AI Tools: `GitHub Copilot` - LLMs and versions: `Claude Sonnet 4.5` - Prompts: `Create a zizmor GitHub Actions security workflow per the issue spec` ### Affirmation - [x] My code follows the [CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-node-yarn/blob/main/CONTRIBUTING.md) guidelines --------- Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com> Co-authored-by: Jan Kowalleck <jan.kowalleck@gmail.com>
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
@@ -35,9 +35,11 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -81,10 +83,12 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - run: mkdir -p ${{ env.REPORTS_DIR }}
       - name: Setup Node.js ${{ matrix.node-version }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -107,7 +111,7 @@ jobs:
       - name: Annotate Code
         if: ${{ failure() || success() }}
         # see https://github.com/DerLev/eslint-annotations
-        uses: DerLev/eslint-annotations@e75c54a2984700c03d60c5252c9c6a203bf013f5 # v2
+        uses: DerLev/eslint-annotations@a79ea65c1b45a649c48bcc6efc0103b6fd2e4c5f # v2
         with:
           eslint-report: ${{ env.REPORTS_DIR }}/eslint.json
       - name: artifact eslint result
@@ -127,10 +131,12 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - run: mkdir -p ${{ env.REPORTS_DIR }}
       - name: Setup Node.js ${{ matrix.node-version }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -156,10 +162,12 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - run: mkdir -p ${{ env.REPORTS_DIR }}
       - name: Setup Node.js ${{ matrix.node-version }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -186,6 +194,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: fetch build artifact
         # see https://github.com/actions/download-artifact
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
@@ -229,9 +239,11 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Node.js ${{ matrix.node-version }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
           package-manager-cache: false
@@ -299,9 +311,11 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Node.js ${{ matrix.node-version }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
           package-manager-cache: false
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -48,6 +48,7 @@ jobs:
           ref: ${{ needs.bump.outputs.version }}
           fetch-depth: 0
           fetch-tags: true
+          persist-credentials: false
       - name: Configure Git
         # needed for push back of changes
         run: |
@@ -56,7 +57,7 @@ jobs:
           git config --local user.name "${GITHUB_ACTOR}"
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -88,11 +89,13 @@ jobs:
           git add package.json yarn.lock
           git commit -s -m "$GCOMMIT_MESSAGE"
           git tag -a  -m "$GCOMMIT_MESSAGE" "$GTAG_NAME"
+          git remote set-url origin "https://x-access-token:${GITHUB_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           git push --follow-tags
         env:
           COMMIT_MESSAGE: ${{ github.event.inputs.commitMessage }}
           GTAG_NAME: ${{ steps.bump.outputs.version }}
           VERSION_PLAIN: ${{ steps.bump.outputs.version_plain }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   build:
     needs: [ "bump" ]
@@ -105,9 +108,10 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ needs.bump.outputs.version }}
+          persist-credentials: false
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -152,6 +156,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ needs.bump.outputs.version }}
+          persist-credentials: false
       - name: fetch build artifact
         # see https://github.com/actions/download-artifact
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7
@@ -176,9 +181,10 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ needs.bump.outputs.version }}
+          persist-credentials: false
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -222,7 +228,7 @@ jobs:
           path: .
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
@@ -288,14 +294,20 @@ jobs:
           "$DIST_DIR/NOTICE" \
           "$DIST_DIR/bom.json"
       - name: Create Release
-        id: release
-        # see https://github.com/softprops/action-gh-release
-        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          tag_name:   ${{ needs.bump.outputs.version }}
-          name:       ${{ needs.bump.outputs.version_plain }}
-          prerelease: ${{ github.event.inputs.prerelease }}
-          files:      '${{ env.ASSETS_DIR }}/*'
-          # If a tag already has a GitHub release, the existing release will be updated with the release assets.
+          R_PRERELEASE: ${{ github.event.inputs.prerelease }}
+          R_TITLE: ${{ needs.bump.outputs.version_plain }}
+          R_VERSION: ${{ needs.bump.outputs.version }}
+        run: |
+          set -exu
+          prerelease_flag=""
+          if [ "$R_PRERELEASE" = "true" ]; then
+            prerelease_flag="--prerelease"
+          fi
+          gh release create \
+            "$R_VERSION" \
+            $prerelease_flag \
+            --title "$R_TITLE" \
+            --notes "" \
+            "$ASSETS_DIR"/*
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,47 @@
+# For details of what checks are run for PRs please refer below
+# docs: https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions
+
+name: GitHub Actions Security with zizmor
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+  push:
+    paths:
+      - ".github/workflows/**"
+  schedule:
+    # Every Saturday 00:00 UTC
+    - cron: '0 0 * * 6'
+
+concurrency:
+  group: '${{ github.workflow }}-${{ github.ref }}'
+  cancel-in-progress: true
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        # see https://github.com/zizmorcore/zizmor-action
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          # advanced-security: false => emit findings as workflow-command annotations (::error file=…) rather than
+          # uploading a SARIF report to GitHub's Security tab.
+          # Uploading SARIF requires `security-events: write` and GitHub Advanced Security (GHAS),
+          # both of which are unnecessary here and would violate the least-privilege policy.
+          # The two modes are mutually exclusive: advanced-security must be false for
+          # annotations to take effect.
+          advanced-security: false
+          annotations: true
