ci: Add zizmor to pre-commit and fix findings (#1457)

* chore: Add zizmor to pre-commit and fix findings

* chore: Remove a few redudant quotes from YAML files

This should be enforced by yamllint in the future.

* ci: Add contents: read permission to reusable worflow callers

* ci: Add id-token: write permission to reusable worflow callers

Author: Techassi

.github/workflows/boil_pr.yaml

@@ -9,6 +9,9 @@ on:
       - "rust/boil/**.rs"
       - "Cargo.*"
 
+permissions:
+  contents: read
+
 env:
   RUST_VERSION: 1.89.0
 
@@ -29,7 +32,6 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
-          submodules: recursive
 
       - name: Run cargo-deny
         uses: EmbarkStudios/cargo-deny-action@3fd3802e88374d3fe9159b834c7714ec57d6c979 # v2.0.15

.github/workflows/boil_release.yaml

@@ -6,13 +6,19 @@ on:
     tags:
       - "boil-[0-9]+.[0-9]+.[0-9]+**"
 
+permissions: {}
+
 env:
   RUST_VERSION: 1.89.0
 
 jobs:
   create-release:
     name: Create Draft Release
     runs-on: ubuntu-latest
+    permissions:
+      # Write is needed to draft the release
+      # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -44,6 +50,10 @@ jobs:
           - { target: x86_64-unknown-linux-gnu, os: ubuntu-latest }
           - { target: aarch64-apple-darwin, os: macos-latest }
     runs-on: ${{ matrix.targets.os }}
+    permissions:
+      # Write is needed to upload artifacts to the release
+      # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -74,6 +84,10 @@ jobs:
   finish-release:
     needs: [build]
     runs-on: ubuntu-latest
+    permissions:
+      # Write is needed to finalize the release
+      # See https://github.com/softprops/action-gh-release/blob/153bb8e04406b158c6c84fc1615b65b24149a1fe/README.md?plain=1#L281
+      contents: write
     steps:
       - name: Finish Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0

.github/workflows/build_airflow.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 1/2 * *' # https://crontab.guru/#0_0_1/2_*_*
+    - cron: 0 0 1/2 * * # https://crontab.guru/#0_0_1/2_*_*
   push:
     branches: [main]
     tags:
@@ -22,13 +22,18 @@ on:
       - .github/workflows/build_airflow.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: airflow
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}

.github/workflows/build_druid.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 1 1/2 * *' # https://crontab.guru/#0_1_1/2_*_*
+    - cron: 0 1 1/2 * * # https://crontab.guru/#0_1_1/2_*_*
   push:
     branches: [main]
     tags:
@@ -24,13 +24,18 @@ on:
       - .github/workflows/build_druid.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: druid
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}

.github/workflows/build_hadoop.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 2 1/2 * *' # https://crontab.guru/#0_2_1/2_*_*
+    - cron: 0 2 1/2 * * # https://crontab.guru/#0_2_1/2_*_*
   push:
     branches: [main]
     tags:
@@ -24,13 +24,18 @@ on:
       - .github/workflows/build_hadoop.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: hadoop
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}

.github/workflows/build_hbase.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 2/2 * *' # https://crontab.guru/#0_0_2/2_*_*
+    - cron: 0 0 2/2 * * # https://crontab.guru/#0_0_2/2_*_*
   push:
     branches: [main]
     tags:
@@ -25,13 +25,18 @@ on:
       - .github/workflows/build_hbase.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: hbase
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}

.github/workflows/build_hive.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: "0 2 2/2 * *" # https://crontab.guru/#0_2_2/2_*_*
+    - cron: 0 2 2/2 * * # https://crontab.guru/#0_2_2/2_*_*
   push:
     branches: [main]
     tags:
@@ -25,13 +25,18 @@ on:
       - .github/workflows/build_hive.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: hive
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}

.github/workflows/build_java-base.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 0 1/2 * *' # https://crontab.guru/#0_0_1/2_*_*
+    - cron: 0 0 1/2 * * # https://crontab.guru/#0_0_1/2_*_*
   push:
     branches: [main]
     tags:
@@ -20,13 +20,18 @@ on:
       - .github/workflows/build_java-base.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: java-base
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}

.github/workflows/build_java-devel.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 1 1/2 * *' # https://crontab.guru/#0_1_1/2_*_*
+    - cron: 0 1 1/2 * * # https://crontab.guru/#0_1_1/2_*_*
   push:
     branches: [main]
     tags:
@@ -20,13 +20,18 @@ on:
       - .github/workflows/build_java-devel.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: java-devel
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}

.github/workflows/build_kafka-testing-tools.yaml

@@ -6,7 +6,7 @@ run-name: |
 on:
   workflow_dispatch:
   schedule:
-    - cron: '0 2 1/2 * *' # https://crontab.guru/#0_2_1/2_*_*
+    - cron: 0 2 1/2 * * # https://crontab.guru/#0_2_1/2_*_*
   push:
     branches: [main]
     tags:
@@ -24,13 +24,18 @@ on:
       - .github/workflows/build_kafka-testing-tools.yaml
       - .github/workflows/reusable_build_image.yaml
 
+permissions: {}
+
 jobs:
   build_image:
     name: Reusable Workflow
     uses: ./.github/workflows/reusable_build_image.yaml
     secrets:
       harbor-robot-secret: ${{ secrets.HARBOR_ROBOT_SDP_GITHUB_ACTION_BUILD_SECRET }}
       slack-token: ${{ secrets.SLACK_CONTAINER_IMAGE_TOKEN }}
+    permissions:
+      id-token: write
+      contents: read
     with:
       product-name: kafka-testing-tools
       sdp-version: ${{ github.ref_type == 'tag' && github.ref_name || '0.0.0-dev' }}