feat(ci): rename build.yaml to pr.yaml, add zizmor and PR validation (#722)

Rename build.yaml to pr.yaml, add PR title validation, labeling, and
zizmor scanning. Pin unpinned actions to SHA.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
  * Adds automated security checks via Zizmor on PRs.
  * Adds automatic PR labeling for toolchain and dependency changes.
  * Implements semantic pull request title validation.

* **Chores**
* Reworks CI workflows and build pipeline (consolidation and new
PR-triggered flows).
  * Adds a new developer CI shell for local CI-related tooling.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Teebor-Choka

.github/labeler.yml

@@ -0,0 +1,11 @@
+toolchain:
+  - changed-files:
+      - any-glob-to-any-file:
+          - 'flake.*'
+          - '*.nix'
+          - .github/**
+dependencies:
+  - changed-files:
+      - any-glob-to-any-file:
+          - yarn.lock
+          - package.json

.github/workflows/build.yaml

@@ -0,0 +1,25 @@
+---
+name: Zizmor
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+    paths: ['.github/**']
+  merge_group:
+    types: [checks_requested]
+concurrency:
+  group: ${{ github.event.pull_request.head.ref || github.ref_name }}-zizmor
+  cancel-in-progress: true
+permissions:
+  contents: read
+  security-events: write
+jobs:
+  zizmor:
+    uses: hoprnet/hopr-workflows/.github/workflows/checks-zizmor.yaml@bbd22e57cf954c15f0a6051d59329857809141dd # workflow-checks-zizmor-v1
+    permissions:
+      contents: read
+      security-events: write
+    with:
+      source_branch: ${{ github.event.pull_request.head.ref || github.ref }}
+      runner: self-hosted-hoprnet-bigger
+    secrets:
+      cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}

.github/workflows/checks-zizmor.yaml

@@ -0,0 +1,130 @@
+---
+name: PR
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+      - labeled
+      - ready_for_review
+  merge_group:
+    types: [checks_requested]
+
+concurrency:
+  group: ${{ github.event.pull_request.head.ref || github.ref_name }}-pr
+  cancel-in-progress: true
+jobs:
+  validate-pr-title:
+    name: Validate title
+    if: github.event_name == 'pull_request'
+    runs-on: self-hosted-hoprnet-small
+    permissions:
+      pull-requests: read
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          types: |
+            fix
+            feat
+            build
+            chore
+            docs
+            style
+            refactor
+            perf
+            test
+          requireScope: false
+          ignoreLabels: |
+            bot
+            ignore-semantic-pull-request
+
+  label:
+    name: Add labels
+    if: github.event_name == 'pull_request'
+    runs-on: self-hosted-hoprnet-small
+    permissions:
+      contents: read
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
+        with:
+          disable-sudo: true
+          egress-policy: audit
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/labeler@77a4082b841706ac431479b7e2bb11216ffef250 # main on 20.02.2025
+        with:
+          sync-labels: true
+      - name: Add "external" label for forked PRs
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BASE_REPO: ${{ github.repository }}
+          HEAD_REPO: ${{ github.event.pull_request.head.repo.full_name }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+        run: |
+          if [[ "$HEAD_REPO" != "$BASE_REPO" ]]; then
+            gh pr edit "$PR_NUMBER" --add-label "external"
+          fi
+
+  build:
+    name: Build
+    runs-on: self-hosted-hoprnet-small
+    permissions:
+      contents: read
+    strategy:
+      matrix:
+        node-version: [22.x, 24.x]
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: hoprnet/hopr-workflows/actions/setup-node-js@15db9fb5571957317b77567abef997b1554f2fbb # setup-node-js-v1
+        with:
+          node_version: ${{ matrix.node-version }}
+
+      - name: Building
+        run: yarn build
+
+      - name: Linting
+        run: yarn lint:ci
+
+      - name: Formatting
+        run: yarn format:ci
+
+      - name: Testing
+        run: yarn test
+  build-docker:
+    name: Docker
+    uses: hoprnet/hopr-workflows/.github/workflows/build-docker.yaml@43b03a7b5df777770d95c6524f48be34184b26fa # build-docker-v1
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write
+    with:
+      source_branch: ${{ github.event.pull_request.head.ref || github.ref }}
+      version_type: commit
+      build_matrix: >-
+        [
+          {
+            "runner": "self-hosted-hoprnet-bigger",
+            "architecture": "x86_64-linux",
+            "build_command": "nix run .#docker-x86_64-linux"
+          }
+        ]
+      build_file: package.json
+      docker_image_name: ${{ vars.DOCKER_IMAGE_NAME }}
+      docker_image_format: docker
+      fail_on_scan_vulnerabilities: ${{ vars.FAIL_ON_SCAN_VULNERABILITIES }}
+    secrets:
+      gcp_service_account: ${{ secrets.GCP_SA_GITHUB_RUNNER }}
+      cachix_auth_token: ${{ secrets.CACHIX_AUTH_TOKEN }}

.github/workflows/pr.yaml

@@ -31,6 +31,11 @@
         in
         {
           devShells.default = import ./shell.nix { inherit pkgs; };
+          devShells.ci = pkgs.mkShell {
+            nativeBuildInputs = [
+              pkgs.zizmor
+            ];
+          };
 
           # Expose as flake as app
           apps = {