Add zizmor to CI

- Can't switch release actions to trusted publishing, see #224.
- Remove git credentials persistence everywhere.
- Fix "unsafe" template expansion in release-builtins. It should not
  be accessible to any untrusted third party as it's only on
  `workflow_dispatch` and `schedule`, but it can't hurt.

Fixes #249

Author: masklinn

.github/workflows/ci.yml

@@ -13,6 +13,7 @@ jobs:
       with:
         submodules: true
         fetch-depth: 0
+        persist-credentials: false
     - name: ruff check
       uses: chartboost/ruff-action@v1
     - name: ruff format
@@ -46,6 +47,7 @@ jobs:
       uses: actions/checkout@v4
       with:
         submodules: true
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -104,6 +106,7 @@ jobs:
       with:
         submodules: true
         fetch-depth: 0
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@v5
       with:

.github/workflows/release-builtins.yml

@@ -25,9 +25,12 @@ jobs:
       with:
         submodules: true
         fetch-depth: 0
+        persist-credentials: false
     - name: update core
+      env:
+        TAG: ${{ inputs.tag || 'master '}}
       # needs to detach because we can update to a tag
-      run: git -C uap-core switch --detach ${{ inputs.tag || 'master' }}
+      run: git -C uap-core switch --detach "$TAG"
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

.github/workflows/release-main.yml

@@ -22,6 +22,8 @@ jobs:
     steps:
     - name: Checkout working copy
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:
@@ -34,15 +36,15 @@ jobs:
       run: python -mbuild
     - name: Publish to testpypi
       if: ${{ env.ENVNAME == 'testpypi' }}
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@release/v1  # zizmor: ignore[use-trusted-publishing]
       with:
         repository-url: https://test.pypi.org/legacy/
         skip-existing: true
         verbose: true
         password: ${{ secrets.PUBLISH_TOKEN }}
     - name: Publish to pypi
       if: ${{ env.ENVNAME == 'pypi' }}
-      uses: pypa/gh-action-pypi-publish@release/v1
+      uses: pypa/gh-action-pypi-publish@release/v1  # zizmor: ignore[use-trusted-publishing]
       with:
         verbose: true
         password: ${{ secrets.PUBLISH_TOKEN }}

.github/workflows/zizmor.yml

@@ -0,0 +1,32 @@
+name: Zizmor
+
+on:
+  push:
+  pull_request:
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Run zizmor
+        run: uvx zizmor --format sarif . > results.sarif 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor