add Zizmor (#1337)

Signed-off-by: Gregor Zeitlinger <[email protected]>

Author: zeitlinger

.github/workflows/acceptance-tests.yml

@@ -6,12 +6,16 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   acceptance-tests:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out
+        with:
+          persist-credentials: false
         uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
       - name: Run acceptance tests
         run: mise run acceptance-test

.github/workflows/build.yml

@@ -6,12 +6,16 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+        with:
+          persist-credentials: false
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
       - name: Cache local Maven repository
         uses: actions/cache@v4
         with:

.github/workflows/github-pages.yaml

@@ -11,11 +11,7 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
+permissions: {}
 
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
@@ -32,55 +28,38 @@ jobs:
   # Build job
   build:
     runs-on: ubuntu-24.04
-    env:
-      HUGO_VERSION: 0.115.4
     steps:
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           fetch-tags: 'true'
           fetch-depth: 0
-      - name: Set up JDK
-        uses: actions/setup-java@v4
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
         with:
-          java-version: 17
-          distribution: temurin
-          cache: 'maven'
-      - name: Set release version
-        run: ./scripts/set-release-version-github-pages.sh
-      - name: Install Hugo CLI
-        run: |
-          wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
-          && sudo dpkg -i ${{ runner.temp }}/hugo.deb
-      - name: Make Javadoc
-        run: ./mvnw -B clean compile javadoc:javadoc javadoc:aggregate -P javadoc
-      - name: Move the Javadoc to docs/static/api/
-        run: mv ./target/reports/apidocs ./docs/static/api && echo && echo 'ls ./docs/static/api' && ls ./docs/static/api
+          cache: 'false'
+      - name: Prepare GitHub Pages
+        run: mise run prepare-gh-pages
+        with:
+          permissions: block
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v5
-      - name: Install Node.js dependencies
-        run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
-        working-directory: ./docs
-      - name: Build with Hugo
-        env:
-          # For maximum backward compatibility with Hugo modules
-          HUGO_ENVIRONMENT: production
-          HUGO_ENV: production
-        run: |
-          hugo \
-            --gc \
-            --minify \
-            --baseURL "${{ steps.pages.outputs.base_url }}/"
-        working-directory: ./docs
-      - name: ls ./docs/public/api
-        run: echo 'ls ./docs/public/api' && ls ./docs/public/api
+      - name: Build GitHub Pages
+        run: mise run build-gh-pages
+        with:
+          permissions: block
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:
           path: ./docs/public
+          # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 
   # Deployment job
   deploy:
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}

.github/workflows/lint.yml

@@ -0,0 +1,20 @@
+---
+name: Acceptance Tests
+
+on: [pull_request]
+
+permissions: {}
+
+jobs:
+  acceptance-tests:
+    permissions: {}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out
+        with:
+          persist-credentials: false
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
+      - name: Lint
+        run: mise run lint-all
+

.github/workflows/native-tests.yml

@@ -6,12 +6,16 @@ on:
   pull_request:
     branches: [ "main" ]
 
+permissions: {}
+
 jobs:
   native-tests:
     runs-on: ubuntu-24.04
     steps:
       - name: Check out
+        with:
+          persist-credentials: false
         uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
       - name: Run native tests
         run: mise run native-test

.github/workflows/release.yml

@@ -9,6 +9,7 @@ jobs:
   deploy:
     if: ${{ github.repository == 'prometheus/client_java' }}
     runs-on: ubuntu-24.04
+    permissions: {}
 
     steps:
       - name: Debug gpg key - remove after debugging
@@ -19,16 +20,19 @@ jobs:
           echo "$GPG_SIGNING_KEY" | gpg --batch --import-options import-show --import
       - name: Checkout Plugin Repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set Up JDK
         uses: actions/setup-java@v4
         with:
           java-version: 17
           distribution: temurin
-          cache: 'maven'
 
       - name: Build with Maven
-        run: ./scripts/build-release.sh ${{ github.ref_name }}
+        run: ./scripts/build-release.sh
+        env:
+          TAG: ${{ github.ref_name }}
 
       - name: Set up Apache Maven Central
         uses: actions/setup-java@v4

mise.lock

@@ -1,3 +1,11 @@
+[tools."cargo:zizmor"]
+version = "1.6.0"
+backend = "cargo:zizmor"
+
+[tools."go:github.com/gohugoio/hugo"]
+version = "v0.147.0"
+backend = "go:github.com/gohugoio/hugo"
+
 [tools."go:github.com/grafana/oats"]
 version = "0.3.0"
 backend = "go:github.com/grafana/oats"
@@ -6,6 +14,10 @@ backend = "go:github.com/grafana/oats"
 version = "temurin-17.0.13+11"
 backend = "core:java"
 
+[tools.node]
+version = "23.10.0"
+backend = "core:node"
+
 [tools.protoc]
 version = "30.2"
 backend = "aqua:protocolbuffers/protobuf/protoc"

mise.toml

@@ -2,8 +2,11 @@
 PROTO_GENERATION = "true"
 
 [tools]
+"cargo:zizmor" = "latest"
+"go:github.com/gohugoio/hugo" = "latest"
 "go:github.com/grafana/oats" = "latest"
 java = "temurin-17.0.13+11"
+node = "latest"
 protoc = "latest"
 
 [tasks.ci]
@@ -35,6 +38,12 @@ run = "./mvnw verify"
 description = "build all modules wihthout tests"
 run = "./mvnw install -DskipTests"
 
+[tasks.lint-gh-actions]
+run = "zizmor .github/"
+
+[tasks.lint-all]
+depends = ["lint-gh-actions"]
+
 [tasks.acceptance-test]
 description = "Run OATs acceptance tests"
 depends = "build"
@@ -49,6 +58,30 @@ dir = "integration-tests/it-spring-boot-smoke-test"
 [tasks.set-version]
 run = 'mvn versions:set -DnewVersion={{arg(name="version")}}'
 
+[tasks.javadoc]
+run = [
+  "./mvnw -B clean compile javadoc:javadoc javadoc:aggregate -P javadoc",
+  "mv ./target/reports/apidocs ./docs/static/api && echo && echo 'ls ./docs/static/api' && ls ./docs/static/api"
+]
+
+[tasks.set-gh-pages-version]
+run = "./scripts/set-release-version-github-pages.sh"
+
+[tasks.prepare-gh-pages]
+description = "Prepare GitHub pages"
+depends = ["javadoc", "set-gh-pages-version"]
+
+[tasks.build-gh-pages]
+description = "Build GitHub pages"
+# For maximum backward compatibility with Hugo modules
+env = { HUGO_ENVIRONMENT = "production", HUGO_ENV = "production" }
+dir = "docs"
+run = [
+  "npm ci",
+  "hugo --gc --minify --baseURL ${BASE_URL}/",
+  "echo 'ls ./docs/public/api' && ls ./docs/public/api"
+]
+
 [settings]
 # to get lock file support and for go backend
 experimental = true

scripts/build-release.sh

@@ -2,7 +2,6 @@
 
 set -euo pipefail
 
-TAG=$1
 VERSION=${TAG#v}
 
 mvn versions:set -DnewVersion=$VERSION