chore(ci): improve action security (#4404)

Adding checks for injections with zimzor (not supported by CodeQL
((yet))).

<img width="798" alt="image"
src="https://github.com/user-attachments/assets/57f1d00e-e949-47f6-9eec-ee7a1e0da5f5"
/>

Author: npalm

.github/workflows/actions.yml

@@ -0,0 +1,57 @@
+name: Lint GitHub Actions
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.ya?ml'
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.github/workflows/*.ya?ml'
+
+concurrency:
+  group: "actionlint-${{ github.ref }}"
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+permissions: {}
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: lint wit zizmor
+        run: |
+          pipx install zizmor
+          zizmor --gh-token ${{ secrets.GITHUB_TOKEN }} --format sarif . > results.sarif || true
+
+      - name: Upload SARIF file
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: results.sarif
+          path: results.sarif
+
+  upload:
+    needs: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Download SARIF file
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: results.sarif
+          path: results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        with:
+          sarif_file: results.sarif
+          category: actions-zizmor

.github/workflows/codeql.yml

@@ -26,6 +26,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/lambda.yml

@@ -25,6 +25,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: yarn install --frozen-lockfile
       - name: Run prettier

.github/workflows/packer-build.yml

@@ -30,6 +30,8 @@ jobs:
     steps:
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: packer init
         run: packer init .
       - name: check packer formatting

.github/workflows/release.yml

@@ -20,6 +20,8 @@ jobs:
         with:
           node-version: 22
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Build dist
         working-directory: lambdas
         run: yarn install --frozen-lockfile && yarn run test && yarn dist
@@ -50,17 +52,25 @@ jobs:
         if: ${{ steps.release.outputs.releases_created == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ github.event.inputs.version }}
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
+          ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }}
         run: |
-          gh release view ${{ github.event.inputs.version }} --json body -q '.body' > new-release-notes.md
+          version="${VERSION}"
+          tag_name="${TAG_NAME}"
+          attestation_url="${ATTESTATION_URL}"
+          gh release view $version --json body -q '.body' > new-release-notes.md
           echo "## Attestation" >> new-release-notes.md
-          echo "Attestation url: ${{ steps.attest.outputs.attestation-url }}" >> new-release-notes.md
+          echo "Attestation url: $attestation_url" >> new-release-notes.md
           echo "Verify the artifacts by running \`gh attest verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
-          gh release edit ${{ steps.release.outputs.tag_name }} -F new-release-notes.md -t ${{ steps.release.outputs.tag_name }}
+          gh release edit $tag_name -F new-release-notes.md -t $tag_name
       - name: Upload release assets
         if: ${{ steps.release.outputs.releases_created == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
         run: |
+          tag_name="${TAG_NAME}"
           for f in $(find . -name '*.zip'); do
-            gh release upload ${{ steps.release.outputs.tag_name }} $f
+            gh release upload $tag_name $f
           done

.github/workflows/semantic-check.yml

@@ -14,6 +14,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         name: Check PR for Semantic Commit Message
         env:

.github/workflows/terraform.yml

@@ -8,7 +8,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 env:
   AWS_REGION: eu-west-1
@@ -24,6 +23,8 @@ jobs:
     steps:
       - name: "Checkout"
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: "Fake zip files" # Validate will fail if it cannot find the zip files
         run: |
           touch lambdas/functions/webhook/webhook.zip
@@ -47,7 +48,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@ab5e6d0c87105b4c9c2047343972218f562e4319 # v4.0.1
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -90,6 +91,8 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: terraform init
         run: terraform init -get -backend=false -input=false
       - if: contains(matrix.terraform, '1.3.')
@@ -106,7 +109,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.3.')
-        uses: actions/cache@v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -145,6 +148,8 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: terraform init
         run: terraform init -get -backend=false -input=false
       - if: contains(matrix.terraform, '1.5.')
@@ -161,7 +166,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins

.github/workflows/update-docs.yml

@@ -6,19 +6,19 @@ on:
       - "**/*.md"
       - ".github/workflows/update-docs.yml"
 
-permissions:
-  contents: write
-  pull-requests: write
-
 jobs:
   docs:
     name: Auto update terraform docs
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
     steps:
       - name: Checkout with GITHUB Action token
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: true
 
       # use an app to ensure CI is triggered
       - name: Generate TF docs
@@ -55,6 +55,8 @@ jobs:
   deploy-pages:
     needs: [docs]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Configure Git Credentials

.github/zizmor.yml

@@ -0,0 +1,9 @@
+rules:
+  artipacked:
+    ignore:
+      # update docs requires token to be persisted
+      - update-docs.yml:61:9
+  dangerous-triggers:
+    ignore:
+      # semantic check with only a read only token
+      - semantic-check.yml:2:1