Lint our GitHub Actions workflows with zizmor

zizmor is a new tool to lint GitHub Actions workflows. For the most part
our workflows are pretty low risk since we don't give it a bunch of
credentials, but we can avoid issues in the future by locking them down
now.

Two overall issues needed to be fixed:
* setting persist-credentials: false for actions/checkout, which we do
everywhere except in the workflows that need to push.
* Don't use template expansion when we can use a normal bash variable.

While zizmor is written in Rust, it is also shipped as a prebuilt binary
via PyPI, so we can set it as a poetry dependency and run it as part of
our normal lint CI.

Refs <freedomofpress/securedrop-tooling#18>.

.github/workflows/build.yml

@@ -25,8 +25,11 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git git-lfs sudo make
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: "freedomofpress/securedrop-builder"
           path: "securedrop-builder"
           lfs: true
@@ -54,8 +57,11 @@ jobs:
       artifact_id: ${{ steps.upload.outputs.artifact-id }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: "freedomofpress/securedrop-builder"
           path: "securedrop-builder"
           lfs: true
@@ -81,8 +87,11 @@ jobs:
       artifact_id: ${{ steps.upload.outputs.artifact-id }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: "freedomofpress/securedrop-builder"
           path: "securedrop-builder"
           lfs: true
@@ -145,6 +154,8 @@ jobs:
       - build-debs
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@v4
         with:
           pattern: "build-${{ matrix.debian_version }}"

.github/workflows/cargo-vet.yml

@@ -21,13 +21,15 @@ jobs:
       CARGO_VET_VERSION: 0.10.0
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: actions/cache@v4
       id: cache-vet
       with:
         path: /usr/local/cargo/bin/cargo-vet
         key: cargo-vet-${{ env.CARGO_VET_VERSION }}
     - name: Install the cargo-vet binary, if needed
       if: ${{ steps.cache-vet.outputs.cache-hit != 'true' }}
-      run: cargo install --version ${{ env.CARGO_VET_VERSION }} cargo-vet
+      run: cargo install --version $CARGO_VET_VERSION cargo-vet
     - name: Invoke cargo-vet
       run: cargo vet --locked

.github/workflows/ci.yml

@@ -25,6 +25,8 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git make apparmor
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Lint AppArmor profiles
         run: |
           make lint-apparmor
@@ -40,6 +42,8 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git make desktop-file-utils
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Lint .desktop files
         run: |
           make lint-desktop
@@ -55,6 +59,8 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git make file python3-poetry
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           poetry install
@@ -80,6 +86,8 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git make gnupg python3-poetry
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           poetry -C ${{ matrix.component }} install
@@ -96,6 +104,8 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git make python3-poetry
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Run safety
         run: |
           poetry install
@@ -108,6 +118,8 @@ jobs:
     container: rust:1.81.0
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Configure Qubes repository
         run: |
           cp scripts/qubes_42.sources /etc/apt/sources.list.d/

.github/workflows/nightlies.yml

@@ -27,8 +27,11 @@ jobs:
       artifact_id: ${{ steps.upload.outputs.artifact-id }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: "freedomofpress/securedrop-builder"
           path: "securedrop-builder"
           lfs: true
@@ -58,12 +61,16 @@ jobs:
           pattern: "*${{ matrix.debian_version }}"
       - uses: actions/checkout@v4
         with:
+          # We need to store credentials here
+          persist-credentials: true
           repository: "freedomofpress/securedrop-apt-test"
           path: "securedrop-apt-test"
           lfs: true
           token: ${{ secrets.PUSH_TOKEN }}
       - uses: actions/checkout@v4
         with:
+          # We need to store credentials here
+          persist-credentials: true
           repository: "freedomofpress/build-logs"
           path: "build-logs"
           token: ${{ secrets.PUSH_TOKEN }}

.github/workflows/sdk.yml

@@ -20,8 +20,11 @@ jobs:
       DOCKERIZE_VERSION: "v0.7.0"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           repository: "freedomofpress/securedrop"
           path: "securedrop-server"
       - uses: actions/setup-python@v5

.github/workflows/security.yml

@@ -10,6 +10,8 @@ jobs:
     container: rust:1.81.0
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Check Rust dependencies
         run: |
           cargo install cargo-audit

.github/workflows/test.yml

@@ -33,7 +33,6 @@ jobs:
     steps:
       - run: |
           apt-get update && apt-get install --yes git make gnupg sudo python3-poetry
-      - uses: actions/checkout@v4
       - name: Setup user
         run: |
           # We want to run tests as a regular user, similar to Qubes VMs
@@ -42,6 +41,8 @@ jobs:
         run: apt-get install --yes build-essential curl libssl-dev pkg-config
         if: ${{ matrix.component == 'proxy' }}
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Install Rust, keep in sync with rust-toolchain.toml
       - uses: dtolnay/[email protected]
         if: ${{ matrix.component == 'proxy' }}
@@ -74,6 +75,8 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git make gnupg sudo python3-poetry
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup user
         run: |
           # We want to run tests as a regular user, similar to Qubes VMs
@@ -100,6 +103,8 @@ jobs:
       - run: |
           apt-get update && apt-get install --yes git make python3-poetry
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           poetry -C client install

Makefile

@@ -27,7 +27,7 @@ lint-desktop: ## Lint .desktop files
 	find . -name *.desktop -type f -not -path '*/\.git/*' | xargs desktop-file-validate
 
 .PHONY: lint
-lint: check-ruff shellcheck ## Run linters and formatters
+lint: check-ruff shellcheck zizmor ## Run linters and formatters
 
 .PHONY: fix
 fix: ## Fix lint and formatting issues
@@ -54,6 +54,10 @@ safety:  ## Run safety dependency checks on build dependencies
 shellcheck:  ## Lint shell scripts
 	@poetry run ./scripts/shellcheck.sh
 
+.PHONY: zizmor
+zizmor: ## Lint GitHub Actions workflows
+	@poetry run zizmor .
+
 .PHONY: rust-lint
 rust-lint: ## Lint Rust code
 	cargo fmt --check

pyproject.toml

@@ -15,6 +15,7 @@ python = "^3.11"
 ruff = "^0.6.4"
 safety = "*"
 shellcheck-py = "*"
+zizmor = "*"
 
 [tool.ruff]
 line-length = 100