HDDS-14920. Check actions with zizmor (#56)

adoroszlai · web-flow · commit 1ebbe2050eab · 2026-04-17T10:52:36.000-04:00
diff --git a/.github/workflows/build-and-tag.yaml b/.github/workflows/build-and-tag.yaml
@@ -24,13 +24,14 @@ on:
     branches:
       - 'ozone-**'
 
-permissions:
-  contents: read
-  packages: write
+permissions: { }
 
 jobs:
   build:
     uses: ./.github/workflows/build.yaml
+    permissions:
+      contents: read
+      packages: write
 
   tag:
     needs: build
@@ -39,6 +40,9 @@ jobs:
       DOCKERHUB_USER: ${{ secrets.DOCKERHUB_USER }}
       IMAGE_ID: ${{ needs.build.outputs.image-id }}
       REGISTRIES: ghcr.io # docker.io is appended dynamically
+    permissions:
+      contents: read
+      packages: write
     steps:
       - name: Generate tags
         uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -35,16 +35,17 @@ concurrency:
   group: ${{ github.sha }}
   cancel-in-progress: false
 
-permissions:
-  contents: read
-  packages: write
-
 env:
   OZONE_RUNNER_IMAGE: ghcr.io/apache/ozone-runner
 
+permissions: { }
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
     outputs:
       image-id: ${{ steps.meta.outputs.tags }}
     steps:
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: zizmor
+
+on:
+  push:
+  pull_request:
+
+permissions: { }
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+    - name: Checkout project
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+
+    - name: Run zizmor
+      uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
