🔒 ci(workflows): add zizmor security auditing (#154)

GitHub Actions workflows were vulnerable to several security issues
including template injection, credential exposure, and permission
over-scoping. These vulnerabilities could allow attackers to execute
arbitrary code or access sensitive tokens.

This change adds `zizmor` as a pre-commit hook to continuously audit
workflow security and fixes all existing vulnerabilities. The fixes
include pinning actions to commit hashes, moving secrets to dedicated
environments, isolating GitHub context from shell execution, and
restricting permissions to the minimum required scope.

All workflows now pass security audit with zero findings. Future
workflow changes will be automatically checked before commit.

Author: gaborbernat

.github/dependabot.yaml

@@ -5,8 +5,12 @@ updates:
     target-branch: "main"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     target-branch: "main"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7

.github/workflows/auto-merge.yaml

@@ -1,6 +1,6 @@
 name: Auto-merge
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, synchronize, reopened]
 
 permissions: {}
@@ -9,7 +9,12 @@ jobs:
   auto-merge:
     name: 🤝 Auto-merge
     runs-on: ubuntu-latest
-    if: github.actor == 'gaborbernat' || github.actor == 'dependabot[bot]' || github.actor == 'pre-commit-ci[bot]' || github.actor == 'github-actions[bot]'
+    environment: auto-merge
+    if: >-
+      github.event.pull_request.user.login == 'gaborbernat' ||
+      github.event.pull_request.user.login == 'dependabot[bot]' ||
+      github.event.pull_request.user.login == 'pre-commit-ci[bot]' ||
+      github.event.pull_request.user.login == 'github-actions[bot]'
     steps:
       - name: 🔀 Enable auto-merge
         run: gh pr merge --auto --squash "$PR_URL"

.github/workflows/check.yaml

@@ -17,19 +17,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 🧹 Free disk space
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: false
           large-packages: false
       - name: 📥 Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: ☕ Set up Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: zulu
           java-version: 21
       - name: 🐘 Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6
       - name: 🔨 Build plugin
         run: ./gradlew --console=plain buildPlugin
       - name: 📁 Prepare artifact
@@ -40,7 +42,7 @@ jobs:
           unzip "$FILENAME" -d content
           echo "filename=${FILENAME:0:-4}" >> $GITHUB_OUTPUT
       - name: 📤 Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: ${{ steps.artifact.outputs.filename }}
           path: ./build/distributions/content/*/*
@@ -54,7 +56,7 @@ jobs:
         ide: ${{ github.event_name == 'pull_request' && fromJson('["PC"]') || fromJson('["PC", "PY"]') }}
     steps:
       - name: 🧹 Free disk space
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: false
           large-packages: false
@@ -63,24 +65,28 @@ jobs:
           haskell: true
           docker-images: true
       - name: 📥 Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: ☕ Set up Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: zulu
           java-version: 21
       - name: 🐘 Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6
       - name: 💾 Cache verifier IDEs
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5
         with:
           path: ~/.pluginVerifier/ides
           key: plugin-verifier-ides-${{ matrix.ide }}-${{ hashFiles('gradle.properties') }}
       - name: ✅ Run verification
-        run: ./gradlew verifyPlugin -PverifyIde=${{ matrix.ide }}
+        run: ./gradlew verifyPlugin -PverifyIde=${MATRIX_IDE}
+        env:
+          MATRIX_IDE: ${{ matrix.ide }}
       - name: 📤 Upload results
         if: ${{ always() }}
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7
         with:
           name: pluginVerifier-result-${{ matrix.ide }}
           path: ${{ github.workspace }}/build/reports/pluginVerifier
@@ -90,19 +96,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 🧹 Free disk space
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: false
           large-packages: false
       - name: 📥 Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: ☕ Set up Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: zulu
           java-version: 21
       - name: 🐘 Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6
       - name: 🔍 Run linter
         run: ./gradlew ktlintCheck
 
@@ -111,19 +119,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 🧹 Free disk space
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: false
           large-packages: false
       - name: 📥 Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: ☕ Set up Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: zulu
           java-version: 21
       - name: 🐘 Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6
       - name: ✅ Run tests with coverage
         run: ./gradlew test koverVerify
 
@@ -132,19 +142,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 🧹 Free disk space
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: false
           large-packages: false
       - name: 📥 Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: ☕ Set up Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: zulu
           java-version: 21
       - name: 🐘 Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6
       - name: 🖥️ Run UI tests
         run: |
           export DISPLAY=:99.0

.github/workflows/release.yaml

@@ -16,35 +16,40 @@ jobs:
       url: https://plugins.jetbrains.com/plugin/20536-pyvenv-manage-2
     steps:
       - name: 📥 Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event.release.tag_name }}
+          persist-credentials: false
       - name: 🧹 Free disk space
-        uses: jlumbroso/free-disk-space@main
+        uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # main
         with:
           tool-cache: false
           large-packages: false
       - name: ☕ Set up Java
-        uses: actions/setup-java@v5
+        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
         with:
           distribution: zulu
           java-version: 21
       - name: 🐘 Set up Gradle
-        uses: gradle/actions/setup-gradle@v6
+        uses: gradle/actions/setup-gradle@39e147cb9de83bb9910b8ef8bd7fff0ee20fcd6f # v6
       - name: 🏷️ Set version from tag
         id: version
         run: |
-          VERSION="${{ github.event.release.tag_name }}"
+          VERSION="${GITHUB_EVENT_RELEASE_TAG_NAME}"
           VERSION="${VERSION#v}"
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           sed -i "s/^pluginVersion=.*/pluginVersion=$VERSION/" gradle.properties
+        env:
+          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
       - name: 📝 Update changelog
         if: ${{ github.event.release.body != '' }}
         run: |
           cat > /tmp/release-notes.txt << 'RELEASE_NOTES_EOF'
-          ${{ github.event.release.body }}
+          ${GITHUB_EVENT_RELEASE_BODY}
           RELEASE_NOTES_EOF
           ./gradlew patchChangelog --release-note="$(cat /tmp/release-notes.txt)"
+        env:
+          GITHUB_EVENT_RELEASE_BODY: ${{ github.event.release.body }}
       - name: 📤 Publish to JetBrains Marketplace
         env:
           PUBLISH_TOKEN: ${{ secrets.PUBLISH_TOKEN }}
@@ -55,20 +60,25 @@ jobs:
       - name: 📎 Upload release artifact
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        run: gh release upload ${{ github.event.release.tag_name }} ./build/distributions/*
+          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        run: gh release upload ${GITHUB_EVENT_RELEASE_TAG_NAME} ./build/distributions/*
       - name: 🔢 Calculate next dev version
         id: next
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
           IFS='.' read -r MAJOR MINOR PATCH <<< "$VERSION"
           NEXT_VERSION="$MAJOR.$MINOR.$((PATCH + 1))-dev"
           echo "next_version=$NEXT_VERSION" >> $GITHUB_OUTPUT
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
       - name: 📝 Create post-release PR
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
+          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+          STEPS_NEXT_OUTPUTS_NEXT_VERSION: ${{ steps.next.outputs.next_version }}
         run: |
-          VERSION="${{ github.event.release.tag_name }}"
-          NEXT_VERSION="${{ steps.next.outputs.next_version }}"
+          VERSION="${GITHUB_EVENT_RELEASE_TAG_NAME}"
+          NEXT_VERSION="${STEPS_NEXT_OUTPUTS_NEXT_VERSION}"
           BRANCH="post-release-$VERSION"
 
           # Save patched changelog before switching branches

.pre-commit-config.yaml

@@ -16,3 +16,7 @@ repos:
         additional_dependencies:
           - prettier@3.6.2
           - "@prettier/plugin-xml@3.4.2"
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.23.1
+    hooks:
+      - id: zizmor