Merge pull request #4456 from DataDog/tonycthsu/zizmore

Scan with zizmor

Author: TonyCTHsu

.github/workflows/_unit_test.yml

@@ -34,11 +34,16 @@ jobs:
       image: ghcr.io/datadog/images-rb/engines/${{ inputs.engine }}:${{ inputs.version }}
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Generate lockfile
       id: lockfile
+      env:
+        LOCKFILE: lockfile-${{ inputs.alias }}-${{ github.run_id }}
       run: |
         bundle lock
-        echo "lockfile=lockfile-${{ inputs.alias }}-${{ github.run_id }}" >> $GITHUB_OUTPUT
+        echo "lockfile=$LOCKFILE" >> $GITHUB_OUTPUT
+
     - name: Upload lockfile
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:
@@ -148,6 +153,8 @@ jobs:
         image: ghcr.io/datadog/images-rb/services/redis:6.2
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Restore bundle cache
       uses: ./.github/actions/bundle-restore
       with:
@@ -221,6 +228,8 @@ jobs:
         image: ghcr.io/datadog/images-rb/services/starburstdata/presto:332-e.9
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Restore bundle cache
       uses: ./.github/actions/bundle-restore
       with:

.github/workflows/add-milestone-to-pull-requests.yml

@@ -16,6 +16,7 @@ jobs:
         # Checks out the branch that the pull request is merged into
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           ref: ${{ github.event.pull_request.base.ref }}
 
       - name: Get major version from gemspec

.github/workflows/build-gem.yml

@@ -15,6 +15,9 @@ on:
     branches:
     - master
 
+# Default permissions for all jobs
+permissions: {}
+
 env:
   GEM_HOST: 'https://rubygems.pkg.github.com/DataDog'
 
@@ -31,24 +34,21 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ruby/setup-ruby@8388f20e6a9c43cd241131b678469a9f89579f37 # v1.216.0
         with:
           ruby-version: '3.2'
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
       - name: Patch version
         if: ${{ matrix.type != 'final' }}
+        env:
+          GHA_RUN_ID: ${{ github.run_id }}
+          GIT_REF: ${{ github.ref }}
+          GIT_SHA: ${{ github.sha }}
         run: |
-          # Obtain context information
-          gha_run_id='${{ github.run_id }}'
-          git_ref='${{ github.ref }}'
-          git_sha='${{ github.sha }}'
-
-          # Output info for CI debug
-          echo gha_run_id="${gha_run_id}"
-          echo git_ref="${git_ref}"
-          echo git_sha="${git_sha}"
+          .gitlab/patch_gem_version.sh gha $GHA_RUN_ID $GIT_REF $GIT_SHA;
 
-          .gitlab/patch_gem_version.sh gha $gha_run_id $git_ref $git_sha;
       - name: Patch gem host
         if: ${{ matrix.type != 'final' }}
         run: |

.github/workflows/check.yml

@@ -11,13 +11,18 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Default permissions for all jobs
+permissions: {}
+
 jobs:
   build:
     name: build
     runs-on: ubuntu-24.04
     container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - run: bundle lock
       - uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         id: lockfile
@@ -33,6 +38,8 @@ jobs:
     container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       - run: bundle install
       - run: bundle exec rake rubocop
@@ -44,6 +51,8 @@ jobs:
     container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       - name: Install dependencies
         run: bundle install
@@ -56,6 +65,8 @@ jobs:
     container: ghcr.io/datadog/images-rb/engines/ruby:3.3
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
       - name: Install dependencies
         run: bundle install
@@ -77,6 +88,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 # requires the lockfile
       - uses: DataDog/datadog-sca-github-action@main
         with:
@@ -90,6 +103,8 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: DataDog/datadog-static-analyzer-github-action@v1
         with:
           dd_api_key: ${{ secrets.DD_API_KEY }}
@@ -103,6 +118,8 @@ jobs:
     container: semgrep/semgrep # PENDING: Possible to be rate limited.
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - run: |
           semgrep ci \
           --include=bin/* \
@@ -112,6 +129,24 @@ jobs:
         env:
           SEMGREP_RULES: p/default
 
+  # https://woodruffw.github.io/zizmor/
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - name: Run zizmor 🌈
+        uses: docker://ghcr.io/woodruffw/zizmor:1.4.1
+        with:
+          args: --min-severity low .
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   complete:
     name: Static Analysis (complete)
     needs:
@@ -121,6 +156,7 @@ jobs:
       - 'semgrep'
       - 'dd-software-composition-analysis'
       - 'dd-static-analysis'
+      - 'zizmor'
     runs-on: ubuntu-24.04
     steps:
       - run: echo "Done"

.github/workflows/codeql-analysis.yml

@@ -7,6 +7,9 @@ on:
     # The branches below must be a subset of the branches above
     branches: [ master ]
 
+# Default permissions for all jobs
+permissions: {}
+
 jobs:
   analyze:
     name: Analyze
@@ -26,6 +29,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/generate-supported-versions.yml

@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Ruby
         uses: ruby/setup-ruby@8388f20e6a9c43cd241131b678469a9f89579f37 # v1.216.0

.github/workflows/lock-dependency.yml

@@ -12,6 +12,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Default permissions for all jobs
+permissions: {}
+
 jobs:
   dependency:
     name: Dependency changes
@@ -20,6 +23,8 @@ jobs:
       changes: ${{ steps.changes.outputs.dependencies }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
         with:
@@ -62,6 +67,8 @@ jobs:
         BUNDLE_WITHOUT: check
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - run: |
           ruby -v
           gem -v
@@ -84,6 +91,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           token: ${{ secrets.GHA_PAT }}
       - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
         with:

.github/workflows/nix.yml

@@ -8,6 +8,9 @@ on:
     branches:
     - master
 
+# Default permissions for all jobs
+permissions: {}
+
 jobs:
   test:
     strategy:
@@ -46,6 +49,8 @@ jobs:
         run: |
           test "$(uname -m)" = "${{ matrix.platform.cpu }}"
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@dea7810afd9d4c98556c8ec68cf361bd5b648eaa # main
       - name: Print ruby version
         run: |

.github/workflows/parametric-tests.yml

@@ -11,6 +11,9 @@ on:
   schedule:
     - cron: "00 04 * * 2-6"
 
+# Default permissions for all jobs
+permissions: {}
+
 jobs:
   changes:
     name: Changes
@@ -20,6 +23,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Changes
         uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
         id: changes
@@ -46,6 +51,7 @@ jobs:
       - run: mkdir binaries/
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           path: binaries/dd-trace-rb/
       - name: Upload artifact
         uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
@@ -59,7 +65,7 @@ jobs:
       - changes
     if: ${{ needs.changes.outputs.changes == 'true' }}
     uses: DataDog/system-tests/.github/workflows/run-parametric.yml@main
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
     with:
       library: ruby
       binaries_artifact: system_tests_binaries

.github/workflows/publish.yml

@@ -5,6 +5,9 @@ on: workflow_dispatch
 
 concurrency: "rubygems" # Only one publish job at a time
 
+# Default permissions for all jobs
+permissions: {}
+
 jobs:
   verify-checks:
     name: Verify commit status checks
@@ -15,6 +18,8 @@ jobs:
       version: ${{ steps.version.outputs.version }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: ruby/setup-ruby@8388f20e6a9c43cd241131b678469a9f89579f37 # v1.216.0
         with:
           ruby-version: '3.3.7'
@@ -109,6 +114,8 @@ jobs:
       SKIP_SIMPLECOV: 1
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Ruby
         uses: ruby/setup-ruby@8388f20e6a9c43cd241131b678469a9f89579f37 # v1.216.0
         with:
@@ -151,6 +158,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
       - name: Set up Ruby
         uses: ruby/setup-ruby@8388f20e6a9c43cd241131b678469a9f89579f37 # v1.216.0
@@ -265,6 +273,7 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           token: ${{ secrets.GHA_PAT }}
           fetch-depth: 0
       - run: |

.github/workflows/pull-request-labeler.yml

@@ -1,6 +1,6 @@
 name: "Pull Request Labeler"
 on:
-  - pull_request_target
+  - pull_request_target # zizmor: ignore[dangerous-triggers]
 
 jobs:
   triage: