From 93559946c1dd80f2afbfb4f67aa46838a569da14 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Fri, 3 Jan 2025 13:04:04 -0500
Subject: [PATCH] Lint our GitHub Actions workflows with zizmor

We just need to set persist-credentials: false in all of our workflows.

Introduce the standard `make lint` target that runs all of our linters.

Refs <freedomofpress/securedrop-tooling#18>.
---
 .github/workflows/ci.yml |  8 ++++++--
 Makefile                 |  7 +++++++
 poetry.lock              | 27 +++++++++++++++++++++++++--
 pyproject.toml           |  1 +
 4 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 256c763..5ca4809 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -9,6 +9,8 @@ jobs:
     container: debian:bookworm
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           apt-get update && apt-get install --yes --no-install-recommends make openssl python3 python3-poetry
@@ -21,10 +23,12 @@ jobs:
     container: debian:bookworm
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: |
           apt-get update && apt-get install --yes --no-install-recommends make python3 python3-poetry
           poetry install --no-ansi
-      - name: Check code formatting via black
+      - name: Run all linters
         run: |
-            make check-black
+            make lint
diff --git a/Makefile b/Makefile
index 4f19d91..c48aedd 100644
--- a/Makefile
+++ b/Makefile
@@ -2,6 +2,9 @@ image := fpf.local/securedrop-https-everywhere-ruleset:$(shell cat latest-rulese
 
 DEFAULT_GOAL: help
 
+.PHONY: lint
+lint: check-black zizmor ## Run all linters
+
 .PHONY: check-black
 check-black: ## Check Python source code formatting with black
 	@poetry run black --check --diff ./
@@ -10,6 +13,10 @@ check-black: ## Check Python source code formatting with black
 black: ## Format Python source code with black
 	@poetry run black ./
 
+.PHONY: zizmor
+zizmor: ## Lint GitHub Actions workflows
+	@poetry run zizmor .
+
 .PHONY: test-key
 test-key: ## Generates a test key for development/testing purposes locally.
 	openssl genrsa -out key.pem 4096
diff --git a/poetry.lock b/poetry.lock
index ae2e845..5dc0f94 100644
--- a/poetry.lock
+++ b/poetry.lock
@@ -1,4 +1,4 @@
-# This file is automatically @generated by Poetry 1.8.5 and should not be changed by hand.
+# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand.
 
 [[package]]
 name = "authlib"
@@ -519,7 +519,30 @@ h2 = ["h2 (>=4,<5)"]
 socks = ["pysocks (>=1.5.6,!=1.5.7,<2.0)"]
 zstd = ["zstandard (>=0.18.0)"]
 
+[[package]]
+name = "zizmor"
+version = "1.0.0"
+description = "Static analysis for GitHub Actions"
+optional = false
+python-versions = "*"
+files = [
+    {file = "zizmor-1.0.0-py3-none-macosx_10_12_x86_64.whl", hash = "sha256:d8296b8044160fc5ae0558bdd4781d0479b65e11a54ba68ea6abff31f440adfb"},
+    {file = "zizmor-1.0.0-py3-none-macosx_11_0_arm64.whl", hash = "sha256:49f1837b704ce83d5618e9ac222359c60fb4db1e9100ff2045bdf298b66b5e95"},
+    {file = "zizmor-1.0.0-py3-none-manylinux_2_17_armv7l.manylinux2014_armv7l.whl", hash = "sha256:ff88090aca8dc769c0272ed0500c08bf52daa328f5b96b83f41622bb84dad6dd"},
+    {file = "zizmor-1.0.0-py3-none-manylinux_2_17_i686.manylinux2014_i686.whl", hash = "sha256:c33d137254f048654eed8904882ce5d91a266d7a510c71f027cbde53b956c6e1"},
+    {file = "zizmor-1.0.0-py3-none-manylinux_2_17_ppc64le.manylinux2014_ppc64le.whl", hash = "sha256:b771e6c497def0017358fcdc6f796c16a144d382e9bdaeb31e49ae74c3383c3f"},
+    {file = "zizmor-1.0.0-py3-none-manylinux_2_17_s390x.manylinux2014_s390x.whl", hash = "sha256:cd5708db1193c0a4285a914aee0cb17181b228d95e3521c6f01f98b2a6010023"},
+    {file = "zizmor-1.0.0-py3-none-manylinux_2_17_x86_64.manylinux2014_x86_64.whl", hash = "sha256:e235a8d7e93a7a21bc5901844aba7eaf3ec40ef7dee1ed74210b78a54d18ae5a"},
+    {file = "zizmor-1.0.0-py3-none-musllinux_1_2_aarch64.whl", hash = "sha256:4074447e1073209197366f8fd96727fc225dc3524e2b859da4a3b8665f002eff"},
+    {file = "zizmor-1.0.0-py3-none-musllinux_1_2_armv7l.whl", hash = "sha256:7ad15ce7c9c3a45a84ddf0bb48c40390785f406366605613fd7bd44c4990e418"},
+    {file = "zizmor-1.0.0-py3-none-musllinux_1_2_i686.whl", hash = "sha256:7ed030c1f71105773d335636821c6f5b571b17ea43d3e3c8b0e3c2f95658ac88"},
+    {file = "zizmor-1.0.0-py3-none-musllinux_1_2_x86_64.whl", hash = "sha256:839347e4152807438da7a7d328f765eb0429c13aadd0164469f3a642608410e5"},
+    {file = "zizmor-1.0.0-py3-none-win32.whl", hash = "sha256:bd1892ea25129514e0dc37a54a9c41103458c831dcea9219814a6f0396d89d5e"},
+    {file = "zizmor-1.0.0-py3-none-win_amd64.whl", hash = "sha256:155b790beb3255112671c01ac502f017616b5ba04e85e5882cad3f57e11be927"},
+    {file = "zizmor-1.0.0.tar.gz", hash = "sha256:2a7c49e9c68722e2a84b2456c45ee6c70629ba423251907cf03a10d6160f5754"},
+]
+
 [metadata]
 lock-version = "2.0"
 python-versions = ">= 3.11"
-content-hash = "b7a8b19f2f748008f27d68fb2f64b49b796af05d2842fa83ade9ad26ec9028cb"
+content-hash = "a44d152b1cfff7bdb7ff1f4ed30aec39c8b3fde239e40ddb2af4d1074e09fc9a"
diff --git a/pyproject.toml b/pyproject.toml
index 505d61c..f540e47 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -15,6 +15,7 @@ pgpy = ">=0.6.0"
 [tool.poetry.group.dev.dependencies]
 black = "*"
 pytest = "^8.3.4"
+zizmor = "^1.0.0"
 
 [tool.black]
 line-length = 100