[GH-1977] Add zizmor with pre-commit (#2582)

jbampton · Aashish-Jha-11 · web-flow · commit 179ccd2eede2 · 2026-01-08T21:18:47.000-08:00
Co-authored-by: Aashish Jha &lt;aashishjha1107@gmail.com&gt;
diff --git a/.github/linters/zizmor.yml b/.github/linters/zizmor.yml
@@ -0,0 +1,29 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+rules:
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: any
+        astral-sh/setup-uv: any
+        docker/setup-qemu-action: any
+        github/*: any
+        pypa/cibuildwheel: any
+        r-lib/actions/check-r-package: any
+        r-lib/actions/setup-r: any
+        r-lib/actions/setup-r-dependencies: any
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -41,6 +41,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v4
diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
@@ -60,6 +60,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -26,6 +26,9 @@ on:
     branches:
       - '*'
 
+permissions:
+  contents: write
+
 env:
   MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=60
 
@@ -40,6 +43,7 @@ jobs:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Java
         uses: actions/setup-java@v5
         with:
diff --git a/.github/workflows/example.yml b/.github/workflows/example.yml
@@ -59,6 +59,8 @@ jobs:
             hadoop: 3.3.4
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
diff --git a/.github/workflows/java.yml b/.github/workflows/java.yml
@@ -86,6 +86,8 @@ jobs:
             skipTests: ''
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -18,7 +18,7 @@
 # https://github.com/actions/labeler
 name: Pull Request Labeler
 on:
-  - pull_request_target
+  - pull_request_target # zizmor: ignore[dangerous-triggers]
 jobs:
   triage:
     permissions:
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -33,6 +33,8 @@ jobs:
     steps:
       - name: 'Checkout ${{ github.ref }} ( ${{ github.sha }} )'
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6 # https://www.python.org/
         with:
           python-version: '3.10' # Version range or exact version of a Python version to use, using SemVer's version range syntax
diff --git a/.github/workflows/pyflink.yml b/.github/workflows/pyflink.yml
@@ -39,6 +39,9 @@ on:
       - 'python/**'
       - '.github/workflows/pyflink.yml'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -51,6 +54,8 @@ jobs:
         python: ['3.11', '3.10']
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
diff --git a/.github/workflows/python-extension.yml b/.github/workflows/python-extension.yml
@@ -59,6 +59,8 @@ jobs:
         working-directory: python
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.python }}
diff --git a/.github/workflows/python-wheel.yml b/.github/workflows/python-wheel.yml
@@ -39,6 +39,9 @@ on:
       - 'python/**'
       - '.github/workflows/python-wheel.yml'
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: ${{ github.ref != 'refs/heads/master' }}
@@ -54,6 +57,8 @@ jobs:
         shell: bash
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Set up QEMU
         if: runner.os == 'Linux'
         uses: docker/setup-qemu-action@v3
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -113,6 +113,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: actions/setup-java@v5
         with:
           distribution: 'zulu'
diff --git a/.github/workflows/r.yml b/.github/workflows/r.yml
@@ -39,6 +39,9 @@ on:
       - 'R/**'
       - '.github/workflows/r.yml'
 
+permissions:
+  contents: read
+
 env:
   MAVEN_OPTS: -Dmaven.wagon.httpconnectionManager.ttlSeconds=60
   JAI_CORE_VERSION: '1.1.3'
@@ -84,6 +87,8 @@ jobs:
           sudo apt-get -y remove --purge default-jdk adoptopenjdk-11-hotspot || :
         shell: bash
       - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - uses: r-lib/actions/setup-r@v2.11.4
         with:
           r-version: ${{ matrix.r }}
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -310,6 +310,15 @@ repos:
       - id: gitleaks
         name: run gitleaks
         description: check for secrets with gitleaks
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.20.0
+    hooks:
+      - id: zizmor
+        name: run zizmor
+        description: zizmor is a static analysis tool for GitHub Actions
+        args: [--config=.github/linters/zizmor.yml]
+        files: ^\.github/workflows/.*$
+        types: [yaml]
   - repo: https://github.com/pre-commit/pygrep-hooks
     rev: v1.10.0
     hooks:
