fix(ci): resolve all zizmor findings and add zizmor pre-commit checks

[gforsyth]

Similar to upstream changes in shared-workflows, this PR cleans up and annotates all of the workflows and adds the zizmor linter to make sure changes are checked.

Part of rapidsai/build-planning#275

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Add workflow-level default-deny permissions: {}; grant explicit, least-privilege job permissions; pin many uses: entries to commit SHAs and set actions/checkout persist-credentials: false; scope publish job secrets; add .github/zizmor.yml and a zizmor pre‑commit hook.

Changes

Global permission and job-scope updates

Layer / File(s)	Summary
Policy surface .github/workflows/*	Add top-level permissions: {} on workflows where present.
Per‑job scopes .github/workflows/build.yaml, .github/workflows/pr.yaml, .github/workflows/test.yaml, .github/workflows/trigger-breaking-change-alert.yaml, .github/workflows/labeler.yml	Introduce explicit job permissions blocks (commonly actions: read, contents: read, id-token: write, packages: read, pull-requests: read) replacing implicit defaults; many retained secrets: inherit entries annotated with # zizmor: ignore[secrets-inherit].
Telemetry / checks adjustments .github/workflows/pr.yaml	Narrowed telemetry-setup and telemetry-summarize permissions; added issues: write for check-c-abi.

Action pinning & checkout hardening

Layer / File(s)	Summary
Pinning policy .github/workflows/check-c-abi.yaml, .github/workflows/publish-rust.yaml, .github/workflows/store-c-abi-baseline.yaml, .github/workflows/update-c-abi-baseline.yaml, .github/workflows/labeler.yml	Replace floating uses: tags with specific commit SHAs for multiple actions (checkout, setup-python, github-script, upload-artifact, labeler, get-pr-info).
Checkout config .../check-c-abi.yaml, .../publish-rust.yaml, .../store-c-abi-baseline.yaml, .../update-c-abi-baseline.yaml	Set actions/checkout step to persist-credentials: false to avoid credential leakage; no logic changes to step bodies aside from pins.

Scoped secret and restricted publish jobs

Layer / File(s)	Summary
Publish job permissions .github/workflows/build.yaml, .github/workflows/publish-rust.yaml	Constrain rust-publish to permissions: { contents: read } and similarly restrict other publish-related jobs.
Scoped secrets .github/workflows/build.yaml	Replace broad secrets: inherit with explicit secret mappings for publish jobs, forwarding only required tokens (e.g., GPUTESTER_CRATES_TOKEN, CONDA_RAPIDSAI_*, RAPIDSAI_PYPI_TOKEN).

Baseline workflows and push re-authentication

Layer / File(s)	Summary
Pin & checkout .github/workflows/store-c-abi-baseline.yaml, .github/workflows/update-c-abi-baseline.yaml	Pin actions to SHAs and set persist-credentials: false on checkout.
Re-auth for push .github/workflows/store-c-abi-baseline.yaml	Re-authenticate before git push by resetting origin remote to an HTTPS URL using GITHUB_TOKEN to allow commits/pushes after credential disabling.

Zizmor policy and pre-commit hook

Layer / File(s)	Summary
Policy config .github/zizmor.yml	Add unpinned-uses rule with exceptions for rapidsai/shared-workflows/* and rapidsai/shared-actions/*; require hash pinning elsewhere.
Pre-commit .pre-commit-config.yaml	Add zizmorcore/zizmor-pre-commit hook at v1.24.1.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically summarizes the main changes: resolving zizmor security findings in CI workflows and adding zizmor pre-commit checks.
Description check	✅ Passed	The description is directly related to the changeset, explaining that it cleans up and annotates workflows and adds zizmor linting, matching the actual changes across multiple workflow files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yaml:
- Around line 243-246: Replace the broad "secrets: inherit" usage for the job
that does "uses: ./.github/workflows/publish-rust.yaml" with an explicit mapping
that only passes the required secret(s) (e.g., CRATES_IO_TOKEN) to the reusable
workflow, and update the called workflow publish-rust.yaml to declare that
secret under on.workflow_call.secrets so the contract is explicit; specifically
remove or change "secrets: inherit" to something like "secrets: {
CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }} }" and add the corresponding
secret declaration in publish-rust.yaml's on.workflow_call.secrets block.

In @.github/workflows/store-c-abi-baseline.yaml:
- Around line 21-23: The workflow disables checkout credentials via the
actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 step by setting
persist-credentials: false, which will prevent subsequent git push to the
baselines branch from authenticating; either re-enable persisted credentials
(remove or set persist-credentials: true on the actions/checkout step) or add an
explicit auth step after checkout (e.g., set up a PAT/GITHUB_TOKEN via
actions/setup-node or actions/configure-aws-credentials style step and configure
git remote creds) so the later git push can authenticate successfully.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b5285516-af67-4713-be1f-a77eac863194

📥 Commits

Reviewing files that changed from the base of the PR and between 7cf69cb and 73b52b8.

📒 Files selected for processing (11)

• .github/workflows/build.yaml
• .github/workflows/check-c-abi.yaml
• .github/workflows/labeler.yml
• .github/workflows/pr.yaml
• .github/workflows/publish-rust.yaml
• .github/workflows/store-c-abi-baseline.yaml
• .github/workflows/test.yaml
• .github/workflows/trigger-breaking-change-alert.yaml
• .github/workflows/update-c-abi-baseline.yaml
• .github/zizmor.yml
• .pre-commit-config.yaml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/build.yaml:
- Around line 243-247: The publish workflow's secret is miswired: add a secrets
declaration to the publish workflow's on.workflow_call (declare
GPUTESTER_CRATES_TOKEN with required: true) so the called workflow exposes the
secret, and in the calling workflow change the passed secret name from
GPU_CRATES_TOKEN to GPUTESTER_CRATES_TOKEN so that the referenced
secrets.GPUTESTER_CRATES_TOKEN is defined and can be assigned to
CARGO_REGISTRY_TOKEN during the publish step.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: c09bddc8-95e9-41f4-ac6d-0693ca21ff9b

📥 Commits

Reviewing files that changed from the base of the PR and between 73b52b8 and 51cefc2.

📒 Files selected for processing (2)

• .github/workflows/build.yaml
• .github/workflows/store-c-abi-baseline.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/store-c-abi-baseline.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify publish-rust.yaml's on.workflow_call section for secrets declaration
echo "=== Checking publish-rust.yaml workflow_call secrets declaration ==="
rg -n -A10 'on:' .github/workflows/publish-rust.yaml | head -30

echo ""
echo "=== Checking how the secret is used in publish-rust.yaml ==="
rg -n 'secrets\.' .github/workflows/publish-rust.yaml

Repository: rapidsai/cuvs

Length of output: 846

---

🏁 Script executed:

# Read the on: section from publish-rust.yaml to see complete workflow_call
head -20 .github/workflows/publish-rust.yaml

# Also verify build.yaml lines around 243-247
sed -n '240,250p' .github/workflows/build.yaml

Repository: rapidsai/cuvs

Length of output: 718

---

🏁 Script executed:

# Confirm the CARGO_REGISTRY_TOKEN reference in publish-rust.yaml
grep -n -B2 -A2 'CARGO_REGISTRY_TOKEN' .github/workflows/publish-rust.yaml

Repository: rapidsai/cuvs

Length of output: 446

---

Secret wiring is broken — Rust publish will fail.

The publish-rust.yaml workflow does not declare any secrets in its on.workflow_call block (lines 3-4), yet it directly references secrets.GPUTESTER_CRATES_TOKEN at line 66 to set CARGO_REGISTRY_TOKEN. Additionally, the secret passed from build.yaml is named GPU_CRATES_TOKEN, which doesn't match the referenced name. When the workflow runs, CARGO_REGISTRY_TOKEN will be undefined and cargo publish will fail.

To fix, make coordinated changes in both files:

1. In publish-rust.yaml, add the secrets declaration:

on:
  workflow_call:
    secrets:
      GPUTESTER_CRATES_TOKEN:
        required: true

2. In build.yaml, pass the secret with the correct name:

    secrets:
-       GPU_CRATES_TOKEN: ${{ secrets.GPUTESTER_CRATES_TOKEN }}
+       GPUTESTER_CRATES_TOKEN: ${{ secrets.GPUTESTER_CRATES_TOKEN }}

🧰 Tools

🪛 actionlint (1.7.12)

[error] 246-246: secret "GPU_CRATES_TOKEN" is not defined in "./.github/workflows/publish-rust.yaml" reusable workflow. no secret is defined

(workflow-call)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yaml around lines 243 - 247, The publish workflow's
secret is miswired: add a secrets declaration to the publish workflow's
on.workflow_call (declare GPUTESTER_CRATES_TOKEN with required: true) so the
called workflow exposes the secret, and in the calling workflow change the
passed secret name from GPU_CRATES_TOKEN to GPUTESTER_CRATES_TOKEN so that the
referenced secrets.GPUTESTER_CRATES_TOKEN is defined and can be assigned to
CARGO_REGISTRY_TOKEN during the publish step.

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/build.yaml (1)

245-247: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

rust-publish secret contract is still incomplete and breaks reusable-workflow validation.

build.yaml now passes GPUTESTER_CRATES_TOKEN (Line 246), but ./.github/workflows/publish-rust.yaml must declare that secret under on.workflow_call.secrets; otherwise actionlint continues failing and publish can’t reliably receive the token.

Proposed fix in .github/workflows/publish-rust.yaml

 on:
   workflow_call:
+    secrets:
+      GPUTESTER_CRATES_TOKEN:
+        required: true

Based on learnings: Ensure that CI passes all status checks before a pull request can be merged.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/build.yaml around lines 245 - 247, The reusable workflow
publish-rust.yaml is missing a declaration for the GPUTESTER_CRATES_TOKEN secret
under on.workflow_call.secrets, causing actionlint to fail when build.yaml
passes that secret; add an entry named GPUTESTER_CRATES_TOKEN to the
on.workflow_call.secrets block in publish-rust.yaml so the secret contract
matches what build.yaml provides (ensure the secret name exactly matches
GPUTESTER_CRATES_TOKEN).

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Duplicate comments:
In @.github/workflows/build.yaml:
- Around line 245-247: The reusable workflow publish-rust.yaml is missing a
declaration for the GPUTESTER_CRATES_TOKEN secret under
on.workflow_call.secrets, causing actionlint to fail when build.yaml passes that
secret; add an entry named GPUTESTER_CRATES_TOKEN to the
on.workflow_call.secrets block in publish-rust.yaml so the secret contract
matches what build.yaml provides (ensure the secret name exactly matches
GPUTESTER_CRATES_TOKEN).

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 48444b11-fd3c-496f-9849-13ea3a5cca94

📥 Commits

Reviewing files that changed from the base of the PR and between 839f22d and e0b86be.

📒 Files selected for processing (3)

• .github/workflows/build.yaml
• .github/workflows/publish-rust.yaml
• .github/workflows/store-c-abi-baseline.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• .github/workflows/publish-rust.yaml
• .github/workflows/store-c-abi-baseline.yaml

[coderabbitai]

♻️ Duplicate comments (1)

.github/workflows/build.yaml (1)

227-229: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

rust-publish secret pass-through is still broken at the reusable-workflow boundary.

Line 228 forwards GPUTESTER_CRATES_TOKEN, but ./.github/workflows/publish-rust.yaml still needs that secret declared under on.workflow_call.secrets; otherwise this call fails at runtime/validation.

Proposed fix (in .github/workflows/publish-rust.yaml)

on:
  workflow_call:
+   secrets:
+     GPUTESTER_CRATES_TOKEN:
+       required: true

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build.yaml around lines 227 - 229, The reusable workflow
publish-rust.yaml is missing a declaration for the forwarded secret, so add
GPUTESTER_CRATES_TOKEN under on.workflow_call.secrets in publish-rust.yaml
(e.g., ensure the on.workflow_call.secrets map includes GPUTESTER_CRATES_TOKEN:
{ required: true } or similar) so the call from the parent workflow (which
passes GPUTESTER_CRATES_TOKEN) validates and the secret is available to the
publish-rust workflow.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In @.github/workflows/build.yaml:
- Around line 227-229: The reusable workflow publish-rust.yaml is missing a
declaration for the forwarded secret, so add GPUTESTER_CRATES_TOKEN under
on.workflow_call.secrets in publish-rust.yaml (e.g., ensure the
on.workflow_call.secrets map includes GPUTESTER_CRATES_TOKEN: { required: true }
or similar) so the call from the parent workflow (which passes
GPUTESTER_CRATES_TOKEN) validates and the secret is available to the
publish-rust workflow.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9422c2a2-2ca1-48fa-9300-20d3c37de50e

📥 Commits

Reviewing files that changed from the base of the PR and between e0b86be and 4e47643.

📒 Files selected for processing (4)

• .github/workflows/build.yaml
• .github/workflows/pr.yaml
• .github/workflows/test.yaml
• .github/workflows/trigger-breaking-change-alert.yaml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/test.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/pr.yaml

[jakirkham]

Recently a workaround was added for an unrelated CI failure with PR: #2062

Have updated this PR to pull those changes in and rerun CI