add zizmor

zeitlinger · zeitlinger · commit 6cd9bd920d7e · 2025-04-29T11:50:40.000+02:00
Signed-off-by: Gregor Zeitlinger &lt;gregor.zeitlinger@grafana.com&gt;
diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
@@ -6,12 +6,16 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   acceptance-tests:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out
+        with:
+          persist-credentials: false
         uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
       - name: Run acceptance tests
         run: mise run acceptance-test
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,12 +6,16 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+        with:
+          persist-credentials: false
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
       - name: Cache local Maven repository
         uses: actions/cache@v4
         with:
diff --git a/.github/workflows/github-pages.yaml b/.github/workflows/github-pages.yaml
@@ -11,11 +11,7 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -37,50 +33,62 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-tags: 'true'
           fetch-depth: 0
-      - name: Set up JDK
-        uses: actions/setup-java@v4
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
         with:
-          java-version: 17
-          distribution: temurin
-          cache: 'maven'
+          cache: 'false'
       - name: Set release version
         run: ./scripts/set-release-version-github-pages.sh
-      - name: Install Hugo CLI
-        run: |
-          wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
-          && sudo dpkg -i ${{ runner.temp }}/hugo.deb
+        with:
+          permissions: block
       - name: Make Javadoc
         run: ./mvnw -B clean compile javadoc:javadoc javadoc:aggregate -P javadoc
+        with:
+          permissions: block
       - name: Move the Javadoc to docs/static/api/
         run: mv ./target/reports/apidocs ./docs/static/api && echo && echo 'ls ./docs/static/api' && ls ./docs/static/api
+        with:
+          permissions: block
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v5
       - name: Install Node.js dependencies
         run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
+        with:
+          permissions: block
         working-directory: ./docs
       - name: Build with Hugo
         env:
           # For maximum backward compatibility with Hugo modules
           HUGO_ENVIRONMENT: production
           HUGO_ENV: production
+          BASE_URL: "${{ steps.pages.outputs.base_url }}"
         run: |
           hugo \
             --gc \
             --minify \
-            --baseURL "${{ steps.pages.outputs.base_url }}/"
+            --baseURL "${BASE_URL}/"
+        with:
+          permissions: block
         working-directory: ./docs
       - name: ls ./docs/public/api
         run: echo 'ls ./docs/public/api' && ls ./docs/public/api
+        with:
+          permissions: block
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
           path: ./docs/public
+          # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 
   # Deployment job
   deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -0,0 +1,20 @@
+---
+name: Acceptance Tests
+
+on: [pull_request]
+
+permissions: {}
+
+jobs:
+  acceptance-tests:
+    permissions: {}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out
+        with:
+          persist-credentials: false
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
+      - name: Lint
+        run: mise run lint-all
+
diff --git a/.github/workflows/native-tests.yml b/.github/workflows/native-tests.yml
@@ -6,12 +6,16 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   native-tests:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out
+        with:
+          persist-credentials: false
         uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
       - name: Run native tests
         run: mise run native-test
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -9,6 +9,7 @@ jobs:
   deploy:
     if: ${{ github.repository == 'prometheus/client_java' }}
     runs-on: ubuntu-24.04
+    permissions: {}
 
     steps:
       - name: Debug gpg key - remove after debugging
@@ -19,16 +20,19 @@ jobs:
           echo "$GPG_SIGNING_KEY" | gpg --batch --import-options import-show --import
       - name: Checkout Plugin Repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set Up JDK
         uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: temurin
-          cache: 'maven'
 
       - name: Build with Maven
-        run: ./scripts/build-release.sh ${{ github.ref_name }}
+        run: ./scripts/build-release.sh
+        env:
+          TAG: ${{ github.ref_name }}
 
       - name: Set up Apache Maven Central
         uses: actions/setup-java@v4
diff --git a/mise.lock b/mise.lock
@@ -1,3 +1,11 @@
+[tools."cargo:zizmor"]
+version = "1.6.0"
+backend = "cargo:zizmor"
+
+[tools."go:github.com/gohugoio/hugo"]
+version = "latest"
+backend = "go:github.com/gohugoio/hugo"
+
 [tools."go:github.com/grafana/oats"]
 version = "0.3.0"
 backend = "go:github.com/grafana/oats"
diff --git a/mise.toml b/mise.toml
@@ -2,6 +2,8 @@
 PROTO_GENERATION = "true"
 
 [tools]
+"cargo:zizmor" = "latest"
+"go:github.com/gohugoio/hugo" = "latest"
 "go:github.com/grafana/oats" = "latest"
 java = "temurin-17.0.13+11"
 protoc = "latest"
@@ -35,6 +37,12 @@ run = "./mvnw verify"
 description = "build all modules wihthout tests"
 run = "./mvnw install -DskipTests"
 
+[tasks.lint-gh-actions]
+run = "zizmor .github/"
+
+[tasks.lint-all]
+depends = ["lint-gh-actions"]
+
 [tasks.acceptance-test]
 description = "Run OATs acceptance tests"
 depends = "build"
diff --git a/scripts/build-release.sh b/scripts/build-release.sh
@@ -2,7 +2,6 @@
 
 set -euo pipefail
 
-TAG=$1
 VERSION=${TAG#v}
 
 mvn versions:set -DnewVersion=$VERSION
