GHA/checksrc: check GHA rules with zizmor

The pedantic level is experimental. If it causes issues, we may just
disable it alongside the ignore comments.

Also:
- silence error:
  ```
   INFO audit: zizmor: completed label.yml
  error[dangerous-triggers]: use of fundamentally insecure workflow trigger
    --> label.yml:13:1
     |
  13 | 'on': [pull_request_target]
     | ^^^^^^^^^^^^^^^^^^^^^^^^^^^ pull_request_target is almost always used insecurely
     |
     = note: audit confidence -> Medium
  ```
- fix pedantic warning:
  ```
   INFO audit: zizmor: completed label.yml
  warning[excessive-permissions]: overly broad permissions
    --> label.yml:1:1
  ...  |
  24 | |         with:
  25 | |           repo-token: '${{ secrets.GITHUB_TOKEN }}'
     | |____________________________________________________- default permissions used due to no permissions: block
     |
     = note: audit confidence -> Medium
  ```
- silence `template-injection` false positives like:
  ```
  - note: ${{ matrix.build.torture && 'test-torture' || 'test-ci' }} may expand into attacker-controllable code
  - note: ${{ contains(matrix.build.install_steps, 'pytest') && 'caddy httpd vsftpd' || '' }} may expand into attacker-controllable code
  ```
  It doesn't seem like these could be controlled by an attacker.
  Let me know if I'm missing something.

Closes #17278

diff --git a/.github/workflows/checksrc.yml b/.github/workflows/checksrc.yml
index 64b4121e361514af170d2ddc6d5269842e4bb0b8..4075bfb6cc66797fdbb8a965bcaa7c29409ca328 100644 (file)
--- a/.github/workflows/checksrc.yml
+++ b/.github/workflows/checksrc.yml
@@ -117,3 +117,18 @@ jobs:
         run: |
           grep -Ev '(\\bwill| url | dir )' .github/scripts/badwords.txt | \
           .github/scripts/badwords.pl $(git ls-files -- src lib include)
+
+  ghacheck:
+    name: GHA analysis
+    runs-on: macos-latest
+    timeout-minutes: 1
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          persist-credentials: false
+        name: checkout
+
+      - name: zizmor
+        run: |
+          brew install zizmor
+          zizmor --pedantic .github/workflows/*.yml

diff --git a/.github/workflows/label.yml b/.github/workflows/label.yml
index d6eef843a63442820f041e0db6118f34a005e95a..c20798a565cb034eec82f055323f9218537f6770 100644 (file)
--- a/.github/workflows/label.yml
+++ b/.github/workflows/label.yml
@@ -10,11 +10,12 @@
 # https://github.com/actions/labeler
 
 name: Labeler
-'on': [pull_request_target]
+'on': [pull_request_target]  # zizmor: ignore[dangerous-triggers]
+
+permissions: {}
 
 jobs:
   label:
-
     runs-on: ubuntu-latest
     permissions:
       contents: read

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index f357069cc55656860dcc8b2e47417a80433e6aaa..53fa15eced21619497e4f7860ecc10c77a3b4d7d 100644 (file)
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -298,6 +298,7 @@ jobs:
     steps:
       - name: 'install prereqs'
         if: matrix.build.container == null && !contains(matrix.build.name, 'i686')
+        # zizmor: ignore[template-injection]
         run: |
           sudo rm -f /etc/apt/sources.list.d/microsoft-prod.list
           sudo apt-get -o Dpkg::Use-Pty=0 update
@@ -661,6 +662,7 @@ jobs:
       - name: 'run tests'
         if: ${{ !contains(matrix.build.install_steps, 'skipall') && !contains(matrix.build.install_steps, 'skiprun') }}
         timeout-minutes: ${{ contains(matrix.build.install_packages, 'valgrind') && 30 || 15 }}
+        # zizmor: ignore[template-injection]
         run: |
           export TFLAGS='${{ matrix.build.tflags }}'
           if [ -z '${{ matrix.build.torture }}' ]; then

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 75dda31ff4e9b54471dd865f44c53fc289667940..8e8cf3a3374e9a869cd060031d20653e5de7a9f9 100644 (file)
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -183,6 +183,7 @@ jobs:
         # Run this command with retries because of spurious failures seen
         # while running the tests, for example
         # https://github.com/curl/curl/runs/4095721123?check_suite_focus=true
+        # zizmor: ignore[template-injection]
         run: |
           echo ${{ matrix.build.generate && 'ninja' || 'automake libtool' }} \
             pkgconf libpsl libssh2 \
@@ -311,6 +312,7 @@ jobs:
       - name: 'run tests'
         if: ${{ !matrix.build.clang-tidy }}
         timeout-minutes: ${{ matrix.build.torture && 20 || 10 }}
+        # zizmor: ignore[template-injection]
         run: |
           export TFLAGS='-j20 ${{ matrix.build.tflags }}'
           if [ -z '${{ matrix.build.torture }}' ]; then

diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index f2a57d82ee64b35e905bb8279137a931167e4ae6..0a8b813025924d105ce819731d28a23d04499df7 100644 (file)
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -572,6 +572,7 @@ jobs:
     steps:
       - name: 'install packages'
         timeout-minutes: 5
+        # zizmor: ignore[template-injection]
         run: |
           sudo rm -f /var/lib/man-db/auto-update
           sudo apt-get -o Dpkg::Use-Pty=0 install mingw-w64 \