github: Enable GitHub Actions static analysis with zizmor

.github/workflows/check_protos.yml

@@ -4,13 +4,17 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_protos:
     name: Check .proto files
     runs-on: ubuntu-latest
     steps:
       - name: Check out repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: ni/python-actions/setup-python@a2554c7e5680982d3355677b2290e48b60678744 # v0.8.0
         id: setup-python
@@ -26,4 +30,4 @@ jobs:
         working-directory: ./.github/check_protos
       - name: Check .proto files
         run: poetry run python _check_protos.py
-        working-directory: ./.github/check_protos
+        working-directory: ./.github/check_protos

.github/workflows/check_workflows.yml

@@ -0,0 +1,21 @@
+name: Check workflows
+
+on:
+  workflow_call:
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Check out repo
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6

.github/workflows/ci.yml

@@ -7,11 +7,22 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_protos:
     name: Check .proto files
     uses: ./.github/workflows/check_protos.yml
+  check_workflows:
+    name: Check workflows
+    uses: ./.github/workflows/check_workflows.yml
+    permissions:
+      security-events: write
   create_ci_artifacts:
     name: Create CI artifacts
     uses: ./.github/workflows/create_ci_artifacts.yml
-
+  trigger_azdo_ci:
+    name: Trigger AzDO CI
+    uses: ./.github/workflows/trigger_azdo_ci.yml
+    secrets:
+      AZDO_PIPELINE_TRIGGERS: ${{ secrets.AZDO_PIPELINE_TRIGGERS }}

.github/workflows/create_ci_artifacts.yml

@@ -4,9 +4,7 @@ on:
   workflow_call:
   workflow_dispatch:
 
-env:
-  POETRY_VERSION: 1.8.2
-  PYTHON_VERSION: 3.11.9
+permissions: {}
 
 jobs:
   build:
@@ -16,6 +14,8 @@ jobs:
     steps:
     - name: Checkout repo
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
 
     - name: Create staging directory
       run: |

.github/workflows/pr.yml

@@ -7,7 +7,14 @@ on:
   workflow_call:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   check_protos:
     name: Check .proto files
-    uses: ./.github/workflows/check_protos.yml
+    uses: ./.github/workflows/check_protos.yml
+  check_workflows:
+    name: Check workflows
+    uses: ./.github/workflows/check_workflows.yml
+    permissions:
+      security-events: write

.github/workflows/sync_github_issues_to_azdo.yml

@@ -8,6 +8,8 @@ on:
   issue_comment:
     types: [created, edited, deleted]
 
+permissions: {}
+
 jobs:
   alert:
     if: ${{ !github.event.issue.pull_request && github.event.issue.title != 'Dependency Dashboard' }}

.github/workflows/trigger_azdo_ci.yml

@@ -1,14 +1,14 @@
 name: Trigger AzDO CIs
 
 on:
-  workflow_run:
-    workflows: [CI]
-    types:
-      - completed
-    branches:
-      - main
+  workflow_call:
+    secrets:
+      AZDO_PIPELINE_TRIGGERS:
+        required: true
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   trigger_azdo_ci:
     name: Trigger Main CI