add zizmor for linting workflows.

Signed-off-by: NicholasTanz <[email protected]>

Author: NicholasTanz

.github/workflows/_test.yml

@@ -43,6 +43,8 @@ jobs:
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38

.github/workflows/cd.yml

@@ -21,6 +21,7 @@ jobs:
       - name: Checkout release tag
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           ref: ${{ github.event.workflow_run.head_branch }}
 
       - name: Set up Python
@@ -67,8 +68,8 @@ jobs:
             res = await github.rest.repos.createRelease({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              name: '${{ github.ref_name }}-rc',
-              tag_name: '${{ github.ref }}',
+              name: process.env.REF_NAME + '-rc',
+              tag_name: process.env.REF,
               body: 'Release waiting for review...',
             });
 
@@ -82,6 +83,10 @@ jobs:
               });
             });
             return res.data.id
+        env:
+          REF_NAME: ${{ github.ref_name }}
+          REF: ${{ github.ref }}
+
 
   release:
     name: Release
@@ -106,13 +111,15 @@ jobs:
       - name: Finalize GitHub release
         uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
         with:
-          script: |
+          script: | # zizmor: ignore[template-injection]
             github.rest.repos.updateRelease({
               owner: context.repo.owner,
               repo: context.repo.repo,
               release_id: '${{ needs.candidate_release.outputs.release_id }}',
-              name: '${{ github.ref_name }}',
+              name: process.env.REF_NAME,
               body: 'See [CHANGELOG.md](https://github.com/' +
                      context.repo.owner + '/' + context.repo.repo +
-                    '/blob/${{ github.ref_name }}/CHANGELOG.md) for details.'
+                    '/blob/' + process.env.REF_NAME + '/CHANGELOG.md) for details.'
             })
+        env:
+          REF_NAME: ${{ github.ref_name }}

.github/workflows/check-upstream-ed25519.yml

@@ -17,6 +17,8 @@ jobs:
     steps:
     - name: Check out repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+      with:
+        persist-credentials: false
     - name: Test if ed25519 upstream main HEAD is what we expect
       id: test_ed25519
       run: |
@@ -30,7 +32,7 @@ jobs:
       uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea
       if: ${{ steps.test_ed25519.outputs.result == '1' }}
       with:
-        script: |
+        script: | # zizmor: ignore[template-injection]
           console.log("ed25519 upstream main has changed!")
           console.log("${{ steps.test_ed25519.outputs.output }}")
           const repo = context.repo.owner + "/" + context.repo.repo

.github/workflows/test-kms-aws.yml

@@ -4,12 +4,18 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   local-aws-kms:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38

.github/workflows/test-kms.yml

@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38

.github/workflows/test-sigstore.yml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38

.github/workflows/test-vault.yaml

@@ -4,12 +4,18 @@ on:
   push:
   pull_request:
 
+permissions: {}
+
 jobs:
   local-vault:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout securesystemslib
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@42375524e23c412d93fb67b49958b491fce71c38

requirements-lint.txt

@@ -1,2 +1,3 @@
 mypy==1.15.0
 ruff==0.9.7
+zizmor==1.4.1

tox.ini

@@ -70,6 +70,7 @@ commands =
     ruff check {[testenv:lint]lint_dirs}
 
     mypy {[testenv:lint]lint_dirs}
+    zizmor --persona=pedantic -q .
 
 [testenv:fix]
 deps = {[testenv:lint]deps}