chore(ci): fix zizmor findings in workflows

Author: soonum

.github/dependabot.yaml

@@ -7,3 +7,5 @@ updates:
       # Check for updates to GitHub Actions every sunday
       interval: "weekly"
       day: "sunday"
+    cooldown:
+      default-days: 7

.github/workflows/approve_label.yml

@@ -9,12 +9,14 @@ on:
 
 permissions: {}
 
+# zizmor: ignore[concurrency-limits] this workflow needs to react to any event in a pull-request
+
 jobs:
   trigger-tests:
     name: approve_label/trigger-tests
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: write
+      pull-requests: write # Needed to apply or remove label
     steps:
       - name: Get current labels
         uses: snnaplab/get-labels-action@f426df40304808ace3b5282d4f036515f7609576

.github/workflows/aws_tfhe_backward_compat_tests.yml

@@ -29,6 +29,8 @@ on:
 permissions:
   contents: read
 
+# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
+
 jobs:
   setup-instance:
     name: aws_tfhe_backward_compat_tests/setup-instance
@@ -58,10 +60,10 @@ jobs:
   backward-compat-tests:
     name: aws_tfhe_backward_compat_tests/backward-compat-tests (bpr)
     needs: [ setup-instance ]
+    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
     concurrency:
       group: ${{ github.workflow_ref }}${{ github.ref == 'refs/heads/main' && github.sha || '' }}
       cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
-    runs-on: ${{ needs.setup-instance.outputs.runner-name }}
     steps:
       - name: Checkout tfhe-rs
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8

.github/workflows/aws_tfhe_fast_tests.yml

@@ -27,12 +27,14 @@ on:
 permissions:
   contents: read
 
+# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
+
 jobs:
   should-run:
     name: aws_tfhe_fast_tests/should-run
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      pull-requests: read # Needed to check for file change
     outputs:
       csprng_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.csprng_any_changed }}
       zk_pok_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.zk_pok_any_changed }}

.github/workflows/aws_tfhe_integer_tests.yml

@@ -33,6 +33,8 @@ on:
 permissions:
   contents: read
 
+# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
+
 jobs:
   should-run:
     name: aws_tfhe_integer_tests/should-run
@@ -42,7 +44,7 @@ jobs:
       github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      pull-requests: read  # Needed to check for file change
     outputs:
       integer_test: ${{ github.event_name == 'workflow_dispatch' ||
         steps.changed-files.outputs.integer_any_changed }}

.github/workflows/aws_tfhe_noise_checks.yml

@@ -23,6 +23,8 @@ on:
 permissions:
   contents: read
 
+# zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow
+
 jobs:
   setup-instance:
     name: aws_tfhe_noise_checks/setup-instance

.github/workflows/aws_tfhe_signed_integer_tests.yml

@@ -33,6 +33,8 @@ on:
 permissions:
   contents: read
 
+# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
+
 jobs:
   should-run:
     name: aws_tfhe_signed_integer_tests/should-run
@@ -43,7 +45,7 @@ jobs:
       github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     permissions:
-      pull-requests: read
+      pull-requests: read  # Needed to check for file change
     outputs:
       integer_test: ${{ github.event_name == 'workflow_dispatch' ||
         steps.changed-files.outputs.integer_any_changed }}

.github/workflows/aws_tfhe_tests.yml

@@ -30,14 +30,16 @@ on:
 permissions:
   contents: read
 
+# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
+
 jobs:
   should-run:
     name: aws_tfhe_tests/should-run
     runs-on: ubuntu-latest
     if: github.event_name != 'schedule' ||
       (github.event_name == 'schedule' && github.repository == 'zama-ai/tfhe-rs')
     permissions:
-      pull-requests: read
+      pull-requests: read  # Needed to check for file change
     outputs:
       csprng_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.csprng_any_changed }}
       zk_pok_test: ${{ env.IS_PULL_REQUEST == 'false' || steps.changed-files.outputs.zk_pok_any_changed }}

.github/workflows/aws_tfhe_wasm_tests.yml

@@ -26,6 +26,8 @@ on:
 permissions:
   contents: read
 
+# zizmor: ignore[concurrency-limits] concurrency is managed after instance setup to ensure safe provisioning
+
 jobs:
   setup-instance:
     name: aws_tfhe_wasm_tests/setup-instance
@@ -57,7 +59,7 @@ jobs:
     name: aws_tfhe_wasm_tests/wasm-tests
     needs: setup-instance
     concurrency:
-      group: ${{ github.workflow_ref }}
+      group: ${{ github.workflow_ref }}_${{github.event_name}}
       cancel-in-progress: true
     runs-on: ${{ needs.setup-instance.outputs.runner-name }}
     steps:

.github/workflows/benchmark_cpu.yml

@@ -60,6 +60,8 @@ on:
 
 permissions: {}
 
+# zizmor: ignore[concurrency-limits] only Zama organization members can trigger this workflow
+
 jobs:
   run-benchmarks:
     name: benchmark_cpu/run-benchmarks