Harden GHA with Zizmor

[webknjaz]

Hey @oraNod, here's an integration you can add through GHA itself:

---

name: GitHub Actions Security Analysis with zizmor 🌈

on:  # yamllint disable-line rule:truthy
  push:
  pull_request:

jobs:
  zizmor:
    name: 🌈 zizmor

    permissions:
      security-events: write

    # yamllint disable-line rule:line-length
    uses: zizmorcore/workflow/.github/workflows/reusable-zizmor.yml@3bb5e95068d0f44b6d2f3f7e91379bed1d2f96a8

...

Optionally, it could also be added to pre-commit on top: https://docs.zizmor.sh/usage/#use-with-pre-commit.

It'll reveal a number of problems, each explained @ https://docs.zizmor.sh/audits/.

cc @felixfontein @gotmax23 this might be interesting to you in context of the entire set of community repos.

[samccann]

@x1101 can you take a look?

[gotmax23]

I worked on devel...gotmax23:ansible-documentation:zizmor a few months ago but never had the chance to test it and push it over the finish line.

[gotmax23]

Some of the changes suggested by zizmor are redundant because we already have a minimal set of default permissions configured in the repo settings. .github/workflows/reusable-deploy-docs.yaml does allow shell template injection without the changes, but only by people who already have permissions on the repo.

[webknjaz]

You can configure exclusions and inline ignores for false positives.

[x1101]

I'm circling back around to this, and I've got the GHA running, but I'm missing something. The action includes an upload artifacts bit, the logs show it running, but my action doesn't have any artifacts attached. Which means that none of the findings are reported to anything other than the console of that job.

If anyone has tips/thoughts, I'd appreciate it. Otherwise, I'll keep at it.