Set up Zizmor (#70)

Author: hugovk

.github/dependabot.yml

@@ -5,4 +5,9 @@ updates:
     directory: "/"
     schedule:
       interval: monthly
+    cooldown:
+      # https://blog.yossarian.net/2025/11/21/We-should-all-be-using-dependency-cooldowns
+      # Cooldowns protect against supply chain attacks by avoiding the
+      # highest-risk window immediately after new releases.
+      default-days: 14
     open-pull-requests-limit: 10

.github/workflows/build-and-push.yml

@@ -17,14 +17,18 @@ jobs:
     permissions:
       contents: read
       packages: write
+    env:
+      CONTAINER: ${{ inputs.container }}
     steps:
       - name: Set Calver Date
         run: |
-          echo "builddate=$(date +'%Y.%m.%d')" >> $GITHUB_OUTPUT
-          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
+          echo "builddate=$(date +'%Y.%m.%d')" >> "$GITHUB_OUTPUT"
+          echo "created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> "$GITHUB_OUTPUT"
         id: version
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -45,11 +49,13 @@ jobs:
       # https://specs.opencontainers.org/image-spec/annotations/#pre-defined-annotation-keys
       - name: Extract labels from Dockerfile
         id: labels
+        env:
+          CREATED: ${{ steps.version.outputs.created }}
         run: |
           set -euo pipefail
 
           # Extract labels from the Dockerfile.
-          DOCKERFILE=./${{ inputs.container }}/Dockerfile
+          DOCKERFILE="./${CONTAINER}/Dockerfile"
 
           # Function to extract a label value.
           extract_label() {
@@ -80,8 +86,8 @@ jobs:
           documentation=$(extract_label "documentation")
 
           # Get dynamic values from earlier steps.
-          created="${{ steps.version.outputs.created }}"
-          revision="${{ github.sha }}"
+          created="$CREATED"
+          revision="$GITHUB_SHA"
 
           # Build annotations string.
           annotations=""
@@ -97,11 +103,11 @@ jobs:
           add_annotation "revision" "$revision"
 
           # Output the complete annotations string.
-          echo "annotations=$annotations" >> $GITHUB_OUTPUT
+          echo "annotations=$annotations" >> "$GITHUB_OUTPUT"
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
-          context: ./${{ inputs.container }}
+          context: ./${{ env.CONTAINER }}
           platforms: linux/amd64,linux/arm64
           push: true
           tags: |

.github/workflows/ci.yml

@@ -7,6 +7,8 @@ on:
   pull_request:
     branches: [main]
 
+permissions: {}
+
 jobs:
   build_dev_container:
     name: Build and test (Dev container)
@@ -21,6 +23,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build Dockerfile
@@ -30,7 +34,7 @@ jobs:
           load: true
           tags: ${{ env.TAG }}
       - name: Test clang
-        run: docker run --rm ${{ env.TAG }} clang --version
+        run: docker run --rm "$TAG" clang --version
 
   build_wasi_container:
     name: Build and test (WASI container)
@@ -44,6 +48,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build Dockerfile
@@ -53,9 +59,9 @@ jobs:
           load: true
           tags: ${{ env.TAG }}
       - name: Test WASI SDK
-        run: docker run --rm ${{ env.TAG }} /opt/wasi-sdk/bin/clang --version
+        run: docker run --rm "$TAG" /opt/wasi-sdk/bin/clang --version
       - name: Test Wasmtime
-        run: docker run --rm ${{ env.TAG }} wasmtime --version
+        run: docker run --rm "$TAG" wasmtime --version
 
   build_autoconf:
     name: Build and test (Autoconf)
@@ -70,6 +76,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build Dockerfile
@@ -80,4 +88,4 @@ jobs:
           load: true
           tags: ${{ env.TAG }}
       - name: Test
-        run: docker run --rm $TAG autoconf --version | grep ${{ matrix.autoconf_version }}
+        run: docker run --rm "$TAG" autoconf --version | grep ${{ matrix.autoconf_version }}

.github/workflows/lint.yml

@@ -0,0 +1,18 @@
+name: Lint
+
+on: [push, pull_request, workflow_dispatch]
+
+permissions: {}
+
+env:
+  FORCE_COLOR: 1
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          persist-credentials: false
+      - uses: j178/prek-action@v1

.github/workflows/release.yml

@@ -15,10 +15,12 @@ on:
 
 run-name: "Release: ${{ inputs.container }}${{ inputs.container == 'devcontainer' && ' + wasicontainer' || '' }}"
 
+permissions: {}
+
 jobs:
   authorize:
     runs-on: ubuntu-latest
-    if: contains('["brettcannon", "corona10", "erlend-aasland"]', github.actor)
+    if: contains(fromJSON('["brettcannon", "corona10", "erlend-aasland"]'), github.actor)
     steps:
       - run: echo "Authorized"
 

.github/zizmor.yml

@@ -0,0 +1,10 @@
+# Configuration for the zizmor static analysis tool, run via prek in CI
+# https://woodruffw.github.io/zizmor/configuration/
+rules:
+  template-injection:
+    ignore:
+      - build-and-push.yml:108
+  unpinned-uses:
+    config:
+      policies:
+        "*": ref-pin

.pre-commit-config.yaml

@@ -0,0 +1,32 @@
+repos:
+  - repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+      - id: check-added-large-files
+      - id: check-case-conflict
+      - id: check-merge-conflict
+      - id: check-yaml
+      - id: end-of-file-fixer
+      - id: forbid-submodules
+      - id: trailing-whitespace
+
+  - repo: https://github.com/python-jsonschema/check-jsonschema
+    rev: 0.36.2
+    hooks:
+      - id: check-dependabot
+      - id: check-github-workflows
+
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.11
+    hooks:
+      - id: actionlint
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: v1.22.0
+    hooks:
+      - id: zizmor
+
+  - repo: meta
+    hooks:
+      - id: check-hooks-apply
+      - id: check-useless-excludes

autoconf/ax_c_float_words_bigendian.diff

@@ -56,31 +56,31 @@ index 216b90d8..52036844 100644
  #   permitted in any medium without royalty provided the copyright notice
  #   and this notice are preserved. This file is offered as-is, without any
  #   warranty.
- 
+
 -#serial 11
 +#serial 14
- 
+
  AC_DEFUN([AX_C_FLOAT_WORDS_BIGENDIAN],
    [AC_CACHE_CHECK(whether float word ordering is bigendian,
                    ax_cv_c_float_words_bigendian, [
- 
+
  ax_cv_c_float_words_bigendian=unknown
 -AC_COMPILE_IFELSE([AC_LANG_SOURCE([[
 +AC_LINK_IFELSE([AC_LANG_SOURCE([[
 +
 +#include <stdlib.h>
 +
 +static double m[] = {9.090423496703681e+223, 0.0};
- 
+
 -double d = 90904234967036810337470478905505011476211692735615632014797120844053488865816695273723469097858056257517020191247487429516932130503560650002327564517570778480236724525140520121371739201496540132640109977779420565776568942592.0;
 +int main (int argc, char *argv[])
 +{
 +    m[atoi (argv[1])] += atof (argv[2]);
 +    return m[atoi (argv[3])] > 0.0;
 +}
- 
+
  ]])], [
- 
+
 -if grep noonsees conftest.$ac_objext >/dev/null ; then
 +if grep noonsees conftest* > /dev/null ; then
    ax_cv_c_float_words_bigendian=yes

autoconf/config.sub.patch

@@ -33,12 +33,12 @@ index 4aaae46..335706d 100755
 --- a/config.sub
 +++ b/config.sub
 @@ -4,7 +4,7 @@
- 
+
  # shellcheck disable=SC2006,SC2268,SC2162 # see below for rationale
- 
+
 -timestamp='2024-05-27'
 +timestamp='2025-01-06'
- 
+
  # This file is free software; you can redistribute it and/or modify it
  # under the terms of the GNU General Public License as published by
 @@ -1194,7 +1194,7 @@ case $cpu-$vendor in
@@ -49,7 +49,7 @@ index 4aaae46..335706d 100755
 +	arm64-* | aarch64le-* | arm64_32-*)
  		cpu=aarch64
  		;;
- 
+
 @@ -2249,6 +2249,8 @@ case $kernel-$os-$obj in
  		;;
  	*-eabi*- | *-gnueabi*-)
@@ -59,6 +59,5 @@ index 4aaae46..335706d 100755
  	none--*)
  		# None (no kernel, i.e. freestanding / bare metal),
  		# can be paired with an machine code file format
--- 
+--
 2.47.1
-