Lint our GitHub Actions workflows with zizmor

We just need to set persist-credentials: false in all of our workflows.

Introduce the standard `make lint` target that runs all of our linters.

Refs <freedomofpress/securedrop-tooling#18>.

.github/workflows/ci.yml

@@ -9,6 +9,8 @@ jobs:
     container: debian:bookworm
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           apt-get update && apt-get install --yes --no-install-recommends make openssl python3 python3-poetry
@@ -21,10 +23,12 @@ jobs:
     container: debian:bookworm
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           apt-get update && apt-get install --yes --no-install-recommends make python3 python3-poetry
           poetry install --no-ansi
-      - name: Check code formatting via black
+      - name: Run all linters
         run: |
-            make check-black
+            make lint

Makefile

@@ -2,6 +2,9 @@ image := fpf.local/securedrop-https-everywhere-ruleset:$(shell cat latest-rulese
 
 DEFAULT_GOAL: help
 
+.PHONY: lint
+lint: check-black zizmor ## Run all linters
+
 .PHONY: check-black
 check-black: ## Check Python source code formatting with black
 	@poetry run black --check --diff ./
@@ -10,6 +13,10 @@ check-black: ## Check Python source code formatting with black
 black: ## Format Python source code with black
 	@poetry run black ./
 
+.PHONY: zizmor
+zizmor: ## Lint GitHub Actions workflows
+	@poetry run zizmor .
+
 .PHONY: test-key
 test-key: ## Generates a test key for development/testing purposes locally.
 	openssl genrsa -out key.pem 4096

pyproject.toml

@@ -15,6 +15,7 @@ pgpy = ">=0.6.0"
 [tool.poetry.group.dev.dependencies]
 black = "*"
 pytest = "^8.3.4"
+zizmor = "^1.0.0"
 
 [tool.black]
 line-length = 100