Merge pull request #290 from smallstep/carl/add-zizmor-frizbee

Add zizmor and frizbee CI/CD security checks

Author: tashian

.github/workflows/actionlint.yml

@@ -9,6 +9,6 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check workflow files
-        uses: docker://rhysd/actionlint:latest
+        uses: docker://index.docker.io/rhysd/actionlint@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f # 1.7.11
         with:
           args: -color

.github/workflows/ci.yml

@@ -11,6 +11,9 @@ on:
       - opened
       - synchronize
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
@@ -20,6 +23,14 @@ jobs:
     name: Lint GitHub workflows
     uses: ./.github/workflows/actionlint.yml
 
+  zizmor:
+    name: Scan GitHub workflows
+    uses: ./.github/workflows/zizmor.yml
+
+  frizbee:
+    name: Check action pinning
+    uses: ./.github/workflows/frizbee.yml
+
   lint-dummy-app: # NOTE(@azazeal): this check is here to verify that .golangci.yml is valid
     name: Lint dummy app
     runs-on: ubuntu-latest

.github/workflows/code-scan.yml

@@ -6,7 +6,12 @@ on:
         type: boolean
         default: true
 
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
 jobs:
   codeql:
     if: inputs.run-codeql
-    uses: smallstep/workflows/.github/workflows/codeql-analysis.yml@main
+    uses: ./.github/workflows/codeql-analysis.yml

.github/workflows/codeql-analysis.yml

@@ -72,7 +72,7 @@ jobs:
             ~/go/pkg/mod || true
       -
         name: Action Cache
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cache/go-build

.github/workflows/dependabot-auto-merge.yml

@@ -11,7 +11,7 @@ permissions: {}
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     permissions:
       contents: write
       pull-requests: write

.github/workflows/docker-buildx-push.yml

@@ -69,5 +69,8 @@ jobs:
           build-args: ${{ inputs.docker_build_args }}
       - name: Cosign
         id: cosign
+        env:
+          DOCKER_IMAGE: ${{ inputs.docker_image }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
         run: |
-          cosign sign -r ${{ inputs.docker_image }}@${{ steps.build-and-push.outputs.digest }} --yes
+          cosign sign -r "${DOCKER_IMAGE}@${DIGEST}" --yes

.github/workflows/frizbee.yml

@@ -0,0 +1,28 @@
+name: Frizbee pinning check
+on:
+  workflow_call:
+
+jobs:
+  frizbee:
+    name: Check action pinning
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Install frizbee
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: |
+          gh release download v0.1.8 --repo stacklok/frizbee \
+            --pattern 'frizbee_0.1.8_linux_amd64.tar.gz' \
+            --output frizbee.tar.gz
+          tar -xzf frizbee.tar.gz frizbee
+          sudo mv frizbee /usr/local/bin/
+          rm frizbee.tar.gz
+      - name: Check pinning
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        run: frizbee actions --dry-run --error .github/workflows/

.github/workflows/goCI.yml

@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -90,7 +93,7 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Check workflow files
-        uses: docker://rhysd/actionlint:latest
+        uses: docker://index.docker.io/rhysd/actionlint@sha256:6f03470d0152251d7f07f7c4dc019dbe7024c72cd952f839544c7798843efa8f # 1.7.11
         with:
           args: -color
 
@@ -120,6 +123,10 @@ jobs:
 
   codeql:
     if: inputs.run-codeql
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
     uses: ./.github/workflows/codeql-analysis.yml
     with:
       goprivate: ${{ inputs.goprivate }}
@@ -145,6 +152,12 @@ jobs:
       PAT: ${{ secrets.PAT }}
       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
 
+  zizmor:
+    uses: ./.github/workflows/zizmor.yml
+
+  frizbee:
+    uses: ./.github/workflows/frizbee.yml
+
   build:
     uses: ./.github/workflows/goBuild.yml
     if: inputs.run-build

.github/workflows/goTest.yml

@@ -107,7 +107,7 @@ jobs:
             ~/go/pkg/mod || true
       -
         name: Action Cache
-        uses: actions/cache@v5
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: |
             ~/.cache/go-build

.github/workflows/goreleaser.yml

@@ -130,15 +130,15 @@ jobs:
         name: Authenticate to Google Cloud
         if: inputs.enable-packages-upload
         id: gcloud-auth
-        uses: google-github-actions/auth@v3
+        uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
         with:
           token_format: access_token
           workload_identity_provider: ${{ secrets.GOOGLE_CLOUD_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GOOGLE_CLOUD_GITHUB_SERVICE_ACCOUNT }}
       -
         name: Set up Google Cloud SDK
         if: inputs.enable-packages-upload
-        uses: google-github-actions/setup-gcloud@v3
+        uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3
         with:
           project_id: ${{ secrets.GOOGLE_CLOUD_PACKAGES_PROJECT_ID }}
       -