Use zizmor to scan GitHub actions workflows

.github/workflows/ansible-ci.yml

@@ -17,15 +17,19 @@ env:
   ANSIBLE_GALAXY_SERVER_GALAXY_TIMEOUT: 120
   ANSIBLE_GALAXY_SERVER_LIST: "galaxy"
 
+permissions: {}
+
 jobs:
   ansible-lint:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Ansible lint
-        uses: ansible/ansible-lint@v25.12.2
+        uses: ansible/ansible-lint@a2bc8b8b13a80802215856c56823d85007d3baf5  # v25.12.2
         with:
           requirements_file: test-requirements.yml
 

.github/workflows/ansible-documentation-release.yml

@@ -15,7 +15,7 @@ jobs:
     permissions:
       contents: read
     name: build
-    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9  # main
     with:
       collection-name: hachyderm.general
       init-project: Hachyderm General Collection
@@ -38,7 +38,7 @@ jobs:
     needs:
       - build
     name: publish
-    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9  # main
     with:
       artifact-name: ${{ needs.build.outputs.artifact-name }}
       publish-gh-pages-branch: true

.github/workflows/ansible-documentation.yml

@@ -11,14 +11,16 @@ on:
       - synchronize
       - closed
 
+permissions: {}
+
 jobs:
   # Validation job runs a strict build to ensure it will fail CI on any mistakes.
   validate:
     permissions:
       contents: read
     name: validate
     if: github.event.action != 'closed'
-    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@main
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-push.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9  # main
     with:
       collection-name: hachyderm.general
       artifact-upload: false
@@ -33,10 +35,12 @@ jobs:
     if: github.event.action != 'closed'
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.13"
 
@@ -77,7 +81,7 @@ jobs:
       - validate
       - docsmith
     name: build
-    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@main
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-pr.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9  # main
     with:
       collection-name: hachyderm.general
       init-project: Hachyderm General Collection
@@ -100,7 +104,7 @@ jobs:
     needs:
       - build
     name: publish PR preview
-    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9  # main
     with:
       artifact-name: ${{ needs.build.outputs.artifact-name }}
       action: publish
@@ -118,7 +122,7 @@ jobs:
     name: comment
     steps:
       - name: PR comment
-        uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@main
+        uses: ansible-community/github-docs-build/actions/ansible-docs-build-comment@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9  # main
         with:
           body-includes: '## Docs Build'
           reactions: heart
@@ -159,7 +163,7 @@ jobs:
       pages: write
       id-token: write
     name: cleanup PR preview
-    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@main
+    uses: ansible-community/github-docs-build/.github/workflows/_shared-docs-build-publish-gh-pages.yml@f724ea35f2f4f14a18c45ad363ffa5f76eabeec9  # main
     with:
       artifact-name: ${{ needs.build.outputs.artifact-name }}
       action: teardown

.github/workflows/ansible-galaxy.yml

@@ -17,15 +17,19 @@ env:
   ANSIBLE_GALAXY_SERVER_LIST: "galaxy"
   ANSIBLE_GALAXY_SERVER_GALAXY_TOKEN: "${{ secrets.ANSIBLE_GALAXY_TOKEN }}"
 
+permissions: {}
+
 jobs:
   ansible-galaxy:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: "3.13"
 
@@ -47,7 +51,7 @@ jobs:
           namespace=$(yq -r ".namespace" < galaxy.yml)
           name=$(yq -r ".name" < galaxy.yml)
           version=$(yq -r ".version" < galaxy.yml)
-          tag=$(echo ${{ github.ref }} | sed 's,refs/tags/,,g')
+          tag=$(echo ${GITHUB_REF} | sed 's,refs/tags/,,g')
           if [ "${tag}" != "${version}" ] ; then
             echo "The version of the collection (${version}) is different than the tag (${tag})"
             exit 1

.github/workflows/ansible-sanity.yml

@@ -11,7 +11,9 @@ jobs:
       ansible-versions: ${{ steps.list-ansible-versions.outputs.ansible-versions }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: List Ansible versions
         id: list-ansible-versions
@@ -32,7 +34,7 @@ jobs:
         needs.define-versions.outputs.ansible-versions != ''
     steps:
       - name: Perform sanity test with ansible-test
-        uses: ansible-community/ansible-test-gh-action@v1.17.0
+        uses: ansible-community/ansible-test-gh-action@d3a8ec7a59694e25e210fcd44738910149537f0e  # v1.17.0
         with:
           ansible-core-version: stable-${{ matrix.ansible-version }}
           testing-type: sanity

.github/workflows/molecule.yml

@@ -17,7 +17,9 @@ jobs:
       roles: ${{ steps.list-roles.outputs.roles }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: List Ansible versions
         id: list-ansible-versions
@@ -47,10 +49,12 @@ jobs:
         needs.define-versions.outputs.roles != ''
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: ${{ inputs.python-version }}
 
@@ -59,7 +63,9 @@ jobs:
           python -m pip install --upgrade pip
           pip install \
             molecule==25.12.0 \
-            ansible-core~=${{ matrix.ansible-version }}.0
+            ansible-core~=${ANSIBLE_VERSION}.0
+        env:
+          ANSIBLE_VERSION: ${{ matrix.ansible-version }}
 
       - name: Install dependencies
         working-directory: ./roles/${{ matrix.role }}

.github/workflows/zizmor.yml

@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor 🌈
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write # Required for upload-sarif (used by zizmor-action) to upload SARIF files.
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3