ci: add zizmor (#1146)

* ci: add zizmor

* trigger ci

* adjust permissions

* typo

* adjust

* adjust

* chore: auto version bump [bot]

* adjust

* adjust

* fix

* chore: auto version bump [bot]

* undo bump version

* fix branch

---------

Co-authored-by: Thegaram <[email protected]>

Author: Thegaram

.github/workflows/bump_version.yml

@@ -14,12 +14,18 @@ jobs:
   try-to-bump:
     if: contains(github.event.pull_request.labels.*.name, 'bump-version')
     runs-on: ubuntu-latest
+    permissions:
+      # Give the default GITHUB_TOKEN write permission to commit and push the
+      # added or changed files to the repository.
+      contents: write
+
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.head_ref }}
-          persist-credentials: false
+          # note: this is needed by git-auto-commit-action below
+          persist-credentials: true
 
       - name: check diff
         id: check_diff
@@ -29,7 +35,7 @@ jobs:
           # fetch develop branch so that we can diff against later
           git fetch origin develop
 
-          echo 'checking verion changes in diff...'
+          echo 'checking version changes in diff...'
 
           # check if version changed in version.go
           # note: the grep will fail if use \d instead of [0-9]
@@ -59,7 +65,7 @@ jobs:
         run: node .github/scripts/bump_version_dot_go.mjs
 
         # Commits made by this Action do not trigger new Workflow runs
-      - uses: stefanzweifel/git-auto-commit-action@3ea6ae190baf489ba007f7c92608f33ce20ef04a
+      - uses: stefanzweifel/git-auto-commit-action@e348103e9026cc0eee72ae06630dbe30c8bf7a79 # v5.1.0
         if: steps.check_diff.outputs.result == 'bump'
         with:
           skip_fetch: true # already did fetch in check diff

.github/workflows/docker-arm64.yaml

@@ -11,6 +11,8 @@ on:
 jobs:
   build-and-push-arm64-image:
     runs-on: ubuntu-latest
+    permissions: {}
+
     strategy:
       matrix:
         arch:
@@ -32,6 +34,7 @@ jobs:
         uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
         with:
           cache-binary: false
+
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
         with:

.github/workflows/docker.yaml

@@ -10,6 +10,8 @@ on:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    permissions: {}
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v2

.github/workflows/l2geth_ci.yml

@@ -1,3 +1,5 @@
+name: CI
+
 on:
   push:
     branches: # we keep this to avoid triggering `push` & `pull_request` every time we update a PR
@@ -11,12 +13,12 @@ on:
       - reopened
       - synchronize
       - ready_for_review
-name: CI
-jobs:
 
+jobs:
   build-mock-ccc-geth: # build geth with mock circuit capacity checker
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -35,6 +37,7 @@ jobs:
   build-geth: # build geth with circuit capacity checker
     if: github.event_name == 'push' # will only be triggered when pushing to main & staging & develop & alpha
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -62,6 +65,7 @@ jobs:
   check:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -81,6 +85,7 @@ jobs:
   goimports-lint:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -107,6 +112,7 @@ jobs:
   go-mod-tidy-lint:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -130,6 +136,7 @@ jobs:
   test:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2

.github/workflows/semgrep.yml

@@ -15,6 +15,7 @@ jobs:
   semgrep:
     name: semgrep/ci
     runs-on: ubuntu-20.04
+    permissions: {}
     env:
       SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
     container:

.github/workflows/zizmor.yml

@@ -0,0 +1,34 @@
+name: zizmor GA Security Analysis
+
+on:
+  push:
+    branches: ["develop"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1
+
+      - name: Run zizmor
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor