Add Zizmor to bwwl (#167)

Co-authored-by: Vince Grassia <[email protected]>

Author: mandreko-bitwarden

.github/workflows/examples/ci.yaml

@@ -5,32 +5,35 @@
 name: CI
 
 on:
-  workflow_dispatch:  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch: # Allows you to run this workflow manually from the Actions tab
   workflow_call: # Allows this workflow to be called from another workflow
-  pull_request:  # When a pull request event occurs
+  pull_request: # When a pull request event occurs
 
-permissions:  # Sets permissions of the GITHUB_TOKEN
-  checks: write  # Permits an action to create a check run
-  contents: read  # For actions to fetch code and list commits
-  packages: read  # For actions to fetch packages
-  id-token: write  # Required to fetch an OpenID Connect (OIDC) token
-  pull-requests: write  # Permits an action to add a label to a pull request
+permissions: {} # Sets default permissions of the GITHUB_TOKEN
 
 jobs:
   version:
     name: Calculate version
-    uses: ./.github/workflows/examples/example-references/_version.yml  # Path to an existing github action
+    permissions:
+      contents: read # For actions/checkout to fetch code
+    uses: ./.github/workflows/examples/example-references/_version.yml # Path to an existing github action
 
   test:
     name: Run test
+    permissions:
+      checks: write
+      contents: read
+      pull-requests: write
     uses: ./.github/workflows/examples/example-references/_test.yml
-    with:  # Parameters specific to this action that need to be defined in order for the step to be completed
+    with: # Parameters specific to this action that need to be defined in order for the step to be completed
       project-name: Billing.Test
       project-path: ./test/Billing.Test
 
   build:
     name: Run build
-    needs:  # This job will not run until test and version jobs are complete
+    permissions:
+      contents: read
+    needs: # This job will not run until test and version jobs are complete
       - test
       - version
     uses: ./.github/workflows/examples/example-references/_build.yml
@@ -41,6 +44,9 @@ jobs:
 
   build-push-docker:
     name: Build Docker image
+    permissions:
+      contents: read
+      id-token: write
     needs:
       - test
       - version

.github/workflows/examples/example.yaml

@@ -7,129 +7,120 @@
 name: Build
 
 permissions: # Sets permissions of the GITHUB_TOKEN (Can be set at the workflow level or job level)
-    contents: read
-    # More info: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
+  contents: read
+  # More info: https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#permissions
 
 on: # Describes when to run the workflow
-    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
+  # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
 
-    workflow_dispatch: # When triggered manually
+  workflow_dispatch: # When triggered manually
 
-    push: # On push to the following branches. Temporarily add a development branch to prompt workflow runs for troubleshooting
-        branches: ["main", "rc", "hotfix-rc"]
-        paths-ignore: # Updates to these directories or files will not trigger a workflow run
-            - ".github/workflows/**"
+  push: # On push to the following branches. Temporarily add a development branch to prompt workflow runs for troubleshooting
+    branches: ["main", "rc", "hotfix-rc"]
+    paths-ignore: # Updates to these directories or files will not trigger a workflow run
+      - ".github/workflows/**"
 
-    # Pull_request_target:  #We strongly discourage using this unless absolutely necessary as it requires access to certain Github secrets.
-    # If using this, include the .github/workflows/check-run.yml job and target only the main branch
-    # More info at https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks
+  # Pull_request_target:  #We strongly discourage using this unless absolutely necessary as it requires access to certain Github secrets.
+  # If using this, include the .github/workflows/check-run.yml job and target only the main branch
+  # More info at https://github.blog/news-insights/product-news/github-actions-improvements-for-fork-and-pull-request-workflows/#improvements-for-public-repository-forks
 
-    pull_request: # When a pull request event occurs
-        types:
-            [
-                opened,
-                synchronize,
-                unlabeled,
-                labeled,
-                unlabeled,
-                reopened,
-                edited,
-            ]
-        branches: ["main"] # Branches where a pull request will trigger the workflow
+  pull_request: # When a pull request event occurs
+    types:
+      [opened, synchronize, unlabeled, labeled, unlabeled, reopened, edited]
+    branches: ["main"] # Branches where a pull request will trigger the workflow
 
-    release: # Runs your workflow when release activity in your repository occurs
-        types: [published, created]
+  release: # Runs your workflow when release activity in your repository occurs
+    types: [published, created]
 
-    merge_group: # Runs required status checks on merge groups created by merge queue
-        types: [checks_requested]
+  merge_group: # Runs required status checks on merge groups created by merge queue
+    types: [checks_requested]
 
-    repository_dispatch: # Runs when a webook event triggers a workflow from outside of github
-        types: [contentful-publish] # Optional, limit repository dispatch events to those in a specified list
+  repository_dispatch: # Runs when a webook event triggers a workflow from outside of github
+    types: [contentful-publish] # Optional, limit repository dispatch events to those in a specified list
 
-    workflow_call: # Workflow can be called by another workflow
+  workflow_call: # Workflow can be called by another workflow
 
 env: # Environment variables set for this step but not accessible by all workflows, steps or jobs.
-    _AZ_REGISTRY: "ACMEprod.azurecr.io"
-    INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
+  _AZ_REGISTRY: "ACMEprod.azurecr.io"
+  INCREMENTAL: "${{ contains(github.event_name, 'pull_request') && '--sast-incremental' || '' }}"
 
 jobs: # A workflow run is made up of one or more jobs that can run sequentially or in parallel
-    first-job:
-        name: First Job Name
-        uses: ./.github/workflows/examples/example-references/_version.yml # Path to an existing github action
-        if: github.event.pull_request.draft == false # prevent part of a job from running on a draft PR
-        secrets: inherit # When called by another workflow, pass all the calling workflow's secrets to the called workflow
-        # "secrets" is only available for a reusable workflow call with "uses"
-        strategy: # Create multiple job runs for each of a set of variables
-            fail-fast: false # If true, cancel entire run if any job in the matrix fails
-            matrix: # Matrix of variables used to define multiple job runs
-                include:
-                    - project_name: Admin
-                      base_path: ./src
-                      node: true # Enables steps with if: ${{ matrix.node }}
-
-        # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
-        permissions: # Sets permissions of the GITHUB_TOKEN
-            security-events: write # Allow actions to upload results to Github
-            id-token: write # Required to fetch an OpenID Connect (OIDC) token
-            contents: read # For actions/checkout to fetch code
-            deployments: write # Permits an action to create a new deployment
-            issues: write # Permits an action to create a new issue
-            checks: write # Permits an action to create a check run
-            actions: write # Permits an action to cancel a workflow run
-            packages: read # Permits an action to access packages on GitHub Packages
-            pull-requests: write # Permits an action to add a label to a pull request
-
-    # steps: when a reusable workflow is called with "uses", "steps" is not available
-    second-job:
-        name: Second Job Name
-        runs-on: ubuntu-22.04 # The type of runner that the job will run on, not available if "uses" is used
-        permissions:
-            contents: read
-            id-token: write # Required to fetch an OpenID Connect (OIDC) token
-        defaults:
-            run: # Set the default shell and working directory
-                shell: bash
-                working-directory: "home/WorkingDirectory"
-
-        needs:
-            - first-job # This job will wait until first-job completes
-        # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/setting-a-default-shell-and-working-directory
-        steps:
-            # Using Azure go obtain secrets from Azure Key Vault
-            - name: Log in to Azure
-              uses: bitwarden/gh-actions/azure-login@main
-              with:
-                subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
-                tenant_id: ${{ secrets.AZURE_TENANT_ID }}
-                client_id: ${{ secrets.AZURE_CLIENT_ID }}
-
-            # Obtain the Key Vault secrets and use them later via GitHub outputs
-            - name: Get Azure Key Vault secrets
-              id: get-kv-secrets
-              uses: bitwarden/gh-actions/get-keyvault-secrets@main
-              with:
-                keyvault: gh-REPOSITORY_NAME_EXAMPLE # The name of the Azure Key Vault created for this repossitory
-                secrets: "SECRETS-OR-CREDENTIALS,ANOTHER-SECRET" # Comma-separated list of secrets to retrieve from Azure Key Vault
-
-            # Logout to remove access to Azure Key Vault secrets
-            - name: Log out from Azure
-              uses: bitwarden/gh-actions/azure-logout@main
-
-            - name: Descriptive step name
-              # NOT RECOMMENDED if: always()  # run even if previous steps failed or the workflow is canceled, this can cause a workflow run to hang indefinitely
-              if: failure() # run when any previous step of a job fails
-              # if: '!cancelled()'  # run even if previous steps failed
-              uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 Always pin a public action version to a full git SHA, followed by the version number in a comment.  Version pins are insecure and can introduce vulnerabilities into workflows.
-              with: # Parameters specific to this action that need to be defined in order for the step to be completed
-                  fetch-depth: 0 # Full git history for actions that rely on whether a change has occurred
-                  ref: ${{ github.event.pull_request.head.sha }}
-                  creds: ${{ steps.get-kv-secrets.outputs.SECRETS-OR-CREDENTIALS }} # Use the secrets retrieved from Azure Key Vault in the previous step
-            - name: Another descriptive step name
-              # Run a script instead of an existing github action
-              run: |
-                  whoami
-                  dotnet --info
-                  node --version
-                  npm --version
-                  echo "GitHub ref: $GITHUB_REF"
-                  echo "GitHub event: $GITHUB_EVENT"
+  first-job:
+    name: First Job Name
+    uses: ./.github/workflows/examples/example-references/_version.yml # Path to an existing github action
+    if: github.event.pull_request.draft == false # prevent part of a job from running on a draft PR
+    strategy: # Create multiple job runs for each of a set of variables
+      fail-fast: false # If true, cancel entire run if any job in the matrix fails
+      matrix: # Matrix of variables used to define multiple job runs
+        include:
+          - project_name: Admin
+            base_path: ./src
+            node: true # Enables steps with if: ${{ matrix.node }}
+
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+    permissions: # Sets permissions of the GITHUB_TOKEN
+      security-events: write # Allow actions to upload results to Github
+      id-token: write # Required to fetch an OpenID Connect (OIDC) token
+      contents: read # For actions/checkout to fetch code
+      deployments: write # Permits an action to create a new deployment
+      issues: write # Permits an action to create a new issue
+      checks: write # Permits an action to create a check run
+      actions: write # Permits an action to cancel a workflow run
+      packages: read # Permits an action to access packages on GitHub Packages
+      pull-requests: write # Permits an action to add a label to a pull request
+
+  # steps: when a reusable workflow is called with "uses", "steps" is not available
+  second-job:
+    name: Second Job Name
+    runs-on: ubuntu-22.04 # The type of runner that the job will run on, not available if "uses" is used
+    permissions:
+      contents: read
+      id-token: write # Required to fetch an OpenID Connect (OIDC) token
+    defaults:
+      run: # Set the default shell and working directory
+        shell: bash
+        working-directory: "home/WorkingDirectory"
+
+    needs:
+      - first-job # This job will wait until first-job completes
+    # https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/setting-a-default-shell-and-working-directory
+    steps:
+      # Using Azure go obtain secrets from Azure Key Vault
+      - name: Log in to Azure
+        uses: bitwarden/gh-actions/azure-login@main
+        with:
+          subscription_id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+          tenant_id: ${{ secrets.AZURE_TENANT_ID }}
+          client_id: ${{ secrets.AZURE_CLIENT_ID }}
+
+      # Obtain the Key Vault secrets and use them later via GitHub outputs
+      - name: Get Azure Key Vault secrets
+        id: get-kv-secrets
+        uses: bitwarden/gh-actions/get-keyvault-secrets@main
+        with:
+          keyvault: gh-REPOSITORY_NAME_EXAMPLE # The name of the Azure Key Vault created for this repossitory
+          secrets: "SECRETS-OR-CREDENTIALS,ANOTHER-SECRET" # Comma-separated list of secrets to retrieve from Azure Key Vault
+
+      # Logout to remove access to Azure Key Vault secrets
+      - name: Log out from Azure
+        uses: bitwarden/gh-actions/azure-logout@main
+
+      - name: Descriptive step name
+        # NOT RECOMMENDED if: always()  # run even if previous steps failed or the workflow is canceled, this can cause a workflow run to hang indefinitely
+        if: failure() # run when any previous step of a job fails
+        # if: '!cancelled()'  # run even if previous steps failed
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 Always pin a public action version to a full git SHA, followed by the version number in a comment.  Version pins are insecure and can introduce vulnerabilities into workflows.
+        with: # Parameters specific to this action that need to be defined in order for the step to be completed
+          persist-credentials: false # Do not persist the token used to fetch the repository, more secure
+          fetch-depth: 0 # Full git history for actions that rely on whether a change has occurred
+          ref: ${{ github.event.pull_request.head.sha }}
+          creds: ${{ steps.get-kv-secrets.outputs.SECRETS-OR-CREDENTIALS }} # Use the secrets retrieved from Azure Key Vault in the previous step
+      - name: Another descriptive step name
+        # Run a script instead of an existing github action
+        run: |
+          whoami
+          dotnet --info
+          node --version
+          npm --version
+          echo "GitHub ref: $GITHUB_REF"
+          echo "GitHub event: $GITHUB_EVENT"

.github/workflows/examples/pull_request_target.yml

@@ -7,11 +7,11 @@
 name: Build Thing on PR Target
 
 permissions:
-  checks: read 
+  checks: read
   contents: read
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types: [opened, synchronize, reopened]
     branches:
       - main
@@ -30,4 +30,3 @@ jobs:
     needs: check-run
     if: ${{ github.event.pull_request.head.repo.full_name != github.repository }}
     uses: ./.github/workflows/examples/ci.yaml
-    secrets: inherit