chore(ci): zizmor fixes, pare down surface (#781)

woodruffw · web-flow · commit e06a422a0ed7 · 2025-05-08T23:35:32.000-04:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,13 +6,19 @@ on:
       - master
   pull_request:
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
       - name: Format
         run: cargo fmt && git diff --exit-code
+
       - name: Lint
         run: |
           rustup update
@@ -25,7 +31,9 @@ jobs:
         platform: ["ubuntu-latest", "macos-latest"]
     runs-on: ${{ matrix.platform }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     - name: deps
       if: matrix.platform == 'ubuntu-latest'
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -5,88 +5,21 @@ on:
     types:
       - published
 
+permissions: {}
+
 jobs:
   crate:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: deps
         run: |
           sudo apt install -y libxcb-shape0-dev libxcb-xfixes0-dev
 
-      - name: login
-        run: echo ${{ secrets.CRATES_IO_TOKEN }} | cargo login
-
       - name: publish
         run: cargo publish
-
-  package-bin-linux:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: deps
-        run: |
-          sudo apt install -y libxcb-shape0-dev libxcb-xfixes0-dev
-
-      - name: build
-        run: cargo build --release
-
-      - name: tarball
-        run: |
-          cd ./target/release
-          tar czvf kbs2-linux-${{ github.event.release.tag_name }}.tar.gz ./kbs2 ../../LICENSE ../../README.md ../../contrib/
-          shasum -a 256 kbs2-linux-${{ github.event.release.tag_name }}.tar.gz > kbs2-linux-${{ github.event.release.tag_name }}.sha256
-
-      - name: attach tarball to release
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ./target/release/kbs2-linux-${{ github.event.release.tag_name }}.tar.gz
-          asset_name: kbs2-linux-${{ github.event.release.tag_name }}.tar.gz
-          asset_content_type: application/gzip
-
-      - name: attach checksum to release
-        uses: actions/upload-release-asset@v1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ./target/release/kbs2-linux-${{ github.event.release.tag_name }}.sha256
-          asset_name: kbs2-linux-${{ github.event.release.tag_name }}.sha256
-          asset_content_type: text/plain
-
-  package-deb:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: deps
-        run: |
-          sudo apt install -y libxcb-shape0-dev libxcb-xfixes0-dev
-          cargo install cargo-deb
-
-      - name: package
-        run: cargo deb
-
-      - name: find deb
-        id: find_deb
-        run: |
-          deb_file=$(find ./target/debian/ -maxdepth 1 -type f -name '*.deb')
-          echo "::set-output name=deb_file::${deb_file}"
-
-          deb_name=$(basename "${deb_file}")
-          echo "::set-output name=deb_name::${deb_name}"
-
-      - name: attach to release
-        uses: actions/upload-release-asset@v1
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          upload_url: ${{ github.event.release.upload_url }}
-          asset_path: ${{ steps.find_deb.outputs.deb_file }}
-          asset_name: ${{ steps.find_deb.outputs.deb_name }}
-          asset_content_type: application/vnd.debian.binary-package
+          CARGO_REGISTRY_TOKEN: "${{ secrets.CRATES_IO_TOKEN }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,13 +5,15 @@ on:
 
 name: release
 
+permissions: {}
+
 jobs:
   release:
     runs-on: ubuntu-latest
     steps:
       - name: create release
         id: create_release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2
         env:
           # NOTE(ww): GitHub actions cannot trigger other GitHub actions by default,
           # but we need that behavior to trigger the 'publish' workflow.
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,37 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read # only needed for private repos
+      actions: read # only needed for private repos
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@c7f87aa956e4c323abf06d5dec078e358f6b4d04 # v6.0.0
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format=sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
