Merge pull request #1432 from yedayak/zizmor-ghactions

Analyze github workflows with zizmor

Author: yedayak

.github/workflows/ci.yaml

@@ -6,12 +6,15 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with: # for gitlint
+          persist-credentials: false
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0
       - uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38 # v5.4.0
@@ -39,6 +42,8 @@ jobs:
 
   distcheck:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # TODO: This is needed for release, maybe split the release steps to a different job?
     strategy:
       matrix:
         include:
@@ -53,6 +58,8 @@ jobs:
       fail-fast: false
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: googleapis/release-please-action@5792afc6b46e9bb55deda9eda973a18c226bc3fc # v4.1.5
         with:
           config-file: .github/release-please-config.json
@@ -89,8 +96,9 @@ jobs:
       - name: Upload release assets
         run: |
           set -x
-          gh release upload ${{steps.release.outputs.tag_name}} \
+          gh release upload ${RELEASE_PLEASE_TAG_NAME} \
             bash-completion-$(cat version.txt).tar.xz sha256sums.txt
         env:
           GH_TOKEN: ${{github.token}}
+          RELEASE_PLEASE_TAG_NAME: ${{steps.release.outputs.tag_name}}
         if: steps.release.outputs.release_created

.github/workflows/update-docker-images.yml

@@ -15,6 +15,8 @@ on:
       - test/docker/*/install-packages.sh
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   update-test-image:
     runs-on: ubuntu-latest
@@ -27,8 +29,12 @@ jobs:
           - dist: debian10
           - dist: fedoradev
           - dist: ubuntu14
+    permissions:
+      packages: write # Get token that can write to ghcr.io
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ghcr.io

.pre-commit-config.yaml

@@ -102,3 +102,9 @@ repos:
     hooks:
       - id: typos
         exclude: ^(CHANGELOG\.md|test/(test-cmd-list\.txt|fixtures/.+))$
+
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.13.0
+    hooks:
+    - id: zizmor
+      files: '^.github/.*$'