Add workflow linting with Zizmor (#582)

* lint fixes from zizmor

Signed-off-by: Jussi Kukkonen <[email protected]>

* Add zizmor linter

This uses the zizmor docker image because otherwise we have to start depending
on python tools which is a little awkward in a golang project.

* Define version using Dockerfile
* Run zizmor in "make lint" and in the lint action, using the version in
  Dockerfile

Signed-off-by: Jussi Kukkonen <[email protected]>

---------

Signed-off-by: Jussi Kukkonen <[email protected]>

Author: jku

.github/dependabot.yml

@@ -22,6 +22,8 @@ updates:
       go-patch-updates:
         update-types:
           - "patch"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -30,6 +32,8 @@ updates:
       actions-patch-updates:
         update-types:
           - "patch"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "docker"
     directories:
       - "/"
@@ -39,6 +43,8 @@ updates:
       docker-patch-updates:
         update-types:
           - "patch"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "docker-compose"
     directories:
       - "/"
@@ -49,3 +55,5 @@ updates:
       docker-compose-patch-updates:
         update-types:
           - "patch"
+    cooldown:
+      default-days: 7

.github/workflows/build_container.yml

@@ -21,6 +21,9 @@ on:
     branches:
       - main
   workflow_call:
+    secrets:
+      GITHUB_TOKEN:
+        required: true
 
 # Defines two custom environment variables for the workflow. These are used for the Container registry domain, and a name for the Docker image that this workflow builds.
 env:

.github/workflows/lint.yml

@@ -48,9 +48,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Run ShellCheck
         uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
         with:
           scandir: ./tests/sharding
           severity: warning
+
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run Zizmor
+        run: |
+          ZIZMOR=$(grep FROM Dockerfile.zizmor | cut -d' ' -f 2)
+          docker run --rm -v $PWD:/source $ZIZMOR /source

.github/workflows/release.yml

@@ -81,7 +81,8 @@ jobs:
   build-container:
     name: Build and push container image
     uses: ./.github/workflows/build_container.yml
-    secrets: inherit
+    secrets:
+      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     needs: approval
     permissions:
       contents: read

Dockerfile.zizmor

@@ -0,0 +1,2 @@
+# Not built, only used to get dependabot to update the version
+FROM ghcr.io/zizmorcore/zizmor:1.16.2@sha256:f49ba23d190f90cb837e7e117803cbf96f5632bc65417d7e2fdb04f606e19c17 AS zizmor

Makefile

@@ -37,6 +37,7 @@ SRC = $(shell find . -iname "*.go" | grep -v -e $(subst $() $(), -e ,$(strip $(P
 PROTO_SRC = $(shell find $(PROTO_DIRS))
 
 SIGSTORE_PROTO_BUILDER = $(shell grep FROM Dockerfile.protobuf-specs | cut -d' ' -f 2)
+ZIZMOR = $(shell grep FROM Dockerfile.zizmor | cut -d' ' -f 2)
 
 # for docker protobuf build
 GO_MODULE = github.com/sigstore/rekor-tiles/v2
@@ -67,6 +68,7 @@ lint:
 		-v $(shell go env GOMODCACHE):/.cache/mod -e GOMODCACHE=/.cache/mod \
 		-v ~/.cache/golangci-lint:/.cache/golangci-lint -e GOLANGCI_LINT_CACHE=/.cache/golangci-lint \
 		$(shell awk -F '[ @]' '/FROM golangci\/golangci-lint/{print $$2; exit}' Dockerfile.golangci-lint) golangci-lint run -v ./...
+	docker run -t --rm -v $(PWD):/source $(ZIZMOR) /source
 
 gosec: ## Run gosec security scanner
 	$(GOBIN)/gosec ./...