ci: Add zizmor pre-commit hook (#311)

* ci: Add zizmor pre-commit hook

Even though it's pretty new, zizmor has already established itself as a very
potent static analysis tool for GitHub Actions. Let's give it a go to see
what it has to say on our current CI.

* Address zizmor findings

No persisting credentials, and the test and docs jobs in the test workflow
each get job-scoped content writing permissions.

mike creates an automated commit on release/main push, so it does need
credentials - those are then explicitly set.

Fixes the mike action by putting inputs as environment variables. The alias
is explicitly not quoted, since otherwise mike would pick it up, and it cannot
deal with an empty string alias.

Author: nicholasjng

.github/actions/mike-docs/action.yaml

@@ -26,10 +26,13 @@ runs:
     shell: bash
   - env:
       DOCS_PRERELEASE: ${{ inputs.pre_release }}
+      INPUTS_PUSH: ${{ inputs.push }}
+      INPUTS_VERSION: ${{ inputs.version }}
+      INPUTS_ALIAS: ${{ inputs.alias }}
     run: |
       MIKE_OPTIONS=( "--update-aliases" )
-      if [ "true" = "${{ inputs.push }}" ]; then
+      if [ "true" = "${INPUTS_PUSH}" ]; then
         MIKE_OPTIONS+=( "--push" )
       fi
-      uv run mike deploy ${{ inputs.version }} ${{ inputs.alias }} "${MIKE_OPTIONS[@]}"
+      uv run mike deploy "${INPUTS_VERSION}" ${INPUTS_ALIAS} "${MIKE_OPTIONS[@]}"
     shell: bash

.github/workflows/python.yaml

@@ -8,22 +8,23 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-
 jobs:
   lint:
     name: Run code checks and formatting hooks
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python 3.10 and dependencies
         uses: ./.github/actions/python-deps
         with:
           pythonVersion: "3.10"
       - name: Run pre-commit checks
         run: uv run pre-commit run --all-files --verbose --show-diff-on-failure
   test:
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -52,6 +53,8 @@ jobs:
           LAKEFS_BLOCKSTORE_TYPE: "local"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v5
         with:
@@ -73,6 +76,8 @@ jobs:
   docs:
     name: Build documentation for lakefs-spec
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     services:
       lakefs:
         image: treeverse/lakefs:latest
@@ -89,6 +94,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: true
       - name: Set up Python 3.11 and dependencies
         uses: ./.github/actions/python-deps
         with:

.github/workflows/release.yaml

@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # for documentation builds
+          persist-credentials: true
       - name: Set up Python and dependencies
         uses: ./.github/actions/python-deps
         with:

.pre-commit-config.yaml

@@ -17,7 +17,7 @@ repos:
         types_or: [python, pyi]
         args: [--ignore-missing-imports, --scripts-are-modules]
   - repo: https://github.com/astral-sh/ruff-pre-commit
-    rev: v0.8.6
+    rev: v0.9.0
     hooks:
       - id: ruff
         args: [--fix, --exit-non-zero-on-fix]
@@ -35,3 +35,8 @@ repos:
     hooks:
       - id: uv-lock
         name: Lock project dependencies
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.0.1
+    hooks:
+      - id: zizmor
+        args: [--min-severity=medium]