Fix CI/CD security to follow zizmor recommendations

.github/workflows/ci.yml

@@ -5,13 +5,19 @@ on:
     branches: [main]
   pull_request:
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2
         with:
           bun-version: 1.2.12
 
@@ -23,10 +29,14 @@ jobs:
 
   prettier:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
-      - uses: oven-sh/setup-bun@v1
+      - uses: oven-sh/setup-bun@f4d14e03ff726c06358e5557344e1da148b56cf7 # v1
         with:
           bun-version: latest
 
@@ -38,10 +48,14 @@ jobs:
 
   typecheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
 
-      - uses: oven-sh/setup-bun@v2
+      - uses: oven-sh/setup-bun@735343b667d3e6f658f44d0eca948eb6282f2b76 # v2
         with:
           bun-version: 1.2.12
 
@@ -50,3 +64,17 @@ jobs:
 
       - name: Run TypeScript type check
         run: bun run typecheck
+
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0

.github/workflows/claude-review.yml

@@ -4,6 +4,8 @@ on:
   pull_request:
     types: [opened]
 
+permissions: {}
+
 jobs:
   review:
     runs-on: ubuntu-latest
@@ -13,12 +15,13 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: PR Review with Progress Tracking
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@7145c3e0510bcdbdd29f67cc4a8c1958f1acfa2f # v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
 

.github/workflows/claude.yml

@@ -10,6 +10,8 @@ on:
   pull_request_review:
     types: [submitted]
 
+permissions: {}
+
 jobs:
   claude:
     if: |
@@ -25,13 +27,14 @@ jobs:
       id-token: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Run Claude Code
         id: claude
-        uses: anthropics/claude-code-action@v1
+        uses: anthropics/claude-code-action@7145c3e0510bcdbdd29f67cc4a8c1958f1acfa2f # v1
         with:
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
           claude_args: |

.github/workflows/issue-triage.yml

@@ -4,6 +4,8 @@ on:
   issues:
     types: [opened]
 
+permissions: {}
+
 jobs:
   triage-issue:
     runs-on: ubuntu-latest
@@ -14,12 +16,13 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Run Claude Code for Issue Triage
-        uses: anthropics/claude-code-action@main
+        uses: anthropics/claude-code-action@3ba9f7c8c2d3f122d3465c267a87b26a1f4783a6 # main
         with:
           prompt: "/label-issue REPO: ${{ github.repository }} ISSUE_NUMBER${{ github.event.issue.number }}"
           anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

.github/workflows/release.yml

@@ -9,6 +9,8 @@ on:
         type: boolean
         default: false
 
+permissions: {}
+
 jobs:
   create-release:
     runs-on: ubuntu-latest
@@ -19,7 +21,7 @@ jobs:
       next_version: ${{ steps.next_version.outputs.next_version }}
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
 
@@ -36,10 +38,11 @@ jobs:
 
       - name: Calculate next version
         id: next_version
+        env:
+          LATEST_TAG: ${{ steps.get_latest_tag.outputs.latest_tag }}
         run: |
-          latest_tag="${{ steps.get_latest_tag.outputs.latest_tag }}"
           # Remove 'v' prefix and split by dots
-          version=${latest_tag#v}
+          version=${LATEST_TAG#v}
           IFS='.' read -ra VERSION_PARTS <<< "$version"
 
           # Increment patch version
@@ -54,31 +57,34 @@ jobs:
 
       - name: Display dry run info
         if: ${{ inputs.dry_run }}
+        env:
+          NEXT_VERSION: ${{ steps.next_version.outputs.next_version }}
+          LATEST_TAG: ${{ steps.get_latest_tag.outputs.latest_tag }}
         run: |
           echo "🔍 DRY RUN MODE"
-          echo "Would create tag: ${{ steps.next_version.outputs.next_version }}"
+          echo "Would create tag: $NEXT_VERSION"
           echo "From commit: ${{ github.sha }}"
-          echo "Previous tag: ${{ steps.get_latest_tag.outputs.latest_tag }}"
+          echo "Previous tag: $LATEST_TAG"
 
       - name: Create and push tag
         if: ${{ !inputs.dry_run }}
+        env:
+          NEXT_VERSION: ${{ steps.next_version.outputs.next_version }}
         run: |
-          next_version="${{ steps.next_version.outputs.next_version }}"
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-          git tag -a "$next_version" -m "Release $next_version"
-          git push origin "$next_version"
+          git tag -a "$NEXT_VERSION" -m "Release $NEXT_VERSION"
+          git push origin "$NEXT_VERSION"
 
       - name: Create Release
         if: ${{ !inputs.dry_run }}
         env:
           GH_TOKEN: ${{ github.token }}
+          NEXT_VERSION: ${{ steps.next_version.outputs.next_version }}
         run: |
-          next_version="${{ steps.next_version.outputs.next_version }}"
-
-          gh release create "$next_version" \
-            --title "$next_version" \
+          gh release create "$NEXT_VERSION" \
+            --title "$NEXT_VERSION" \
             --generate-notes \
             --latest=false # keep v1 as latest
 
@@ -91,36 +97,40 @@ jobs:
       contents: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           fetch-depth: 0
 
       - name: Update major version tag
+        env:
+          NEXT_VERSION: ${{ needs.create-release.outputs.next_version }}
         run: |
-          next_version="${{ needs.create-release.outputs.next_version }}"
           # Extract major version (e.g., v0 from v0.0.20)
-          major_version=$(echo "$next_version" | cut -d. -f1)
+          major_version=$(echo "$NEXT_VERSION" | cut -d. -f1)
 
           # Update the major version tag to point to this release
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
-          git tag -fa "$major_version" -m "Update $major_version tag to $next_version"
+          git tag -fa "$major_version" -m "Update $major_version tag to $NEXT_VERSION"
           git push origin "$major_version" --force
 
-          echo "Updated $major_version tag to point to $next_version"
+          echo "Updated $major_version tag to point to $NEXT_VERSION"
 
   release-base-action:
     needs: create-release
     if: ${{ !inputs.dry_run }}
     runs-on: ubuntu-latest
     environment: production
+    permissions:
+      contents: read
     steps:
       - name: Checkout base-action repo
-        uses: actions/checkout@v5
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           repository: anthropics/claude-code-base-action
           token: ${{ secrets.CLAUDE_CODE_BASE_ACTION_PAT }}
           fetch-depth: 0
+          persist-credentials: false
 
       # - name: Create and push tag
       #   run: |

.github/workflows/sync-base-action.yml

@@ -8,26 +8,30 @@ on:
       - "base-action/**"
   workflow_dispatch:
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   sync-base-action:
     name: Sync base-action to claude-code-base-action repository
     runs-on: ubuntu-latest
     environment: production
+    permissions:
+      contents: read
     timeout-minutes: 10
     steps:
       - name: Checkout source repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: Setup SSH and clone target repository
+        env:
+          DEPLOY_KEY: ${{ secrets.CLAUDE_CODE_BASE_ACTION_REPO_DEPLOY_KEY }}
         run: |
           # Configure SSH with deploy key
           mkdir -p ~/.ssh
-          echo "${{ secrets.CLAUDE_CODE_BASE_ACTION_REPO_DEPLOY_KEY }}" > ~/.ssh/deploy_key_base
+          echo "$DEPLOY_KEY" > ~/.ssh/deploy_key_base
           chmod 600 ~/.ssh/deploy_key_base
 
           # Configure SSH host