ci: fix issues indentified by zizmor GHA linter

gotmax23 · gotmax23 · commit 510ddb5fd6e1 · 2025-10-27T17:11:28.000-05:00
This fixes issues identified by the zizmor linter which checks for
Github Actions security best practicies.

Summary of changes:

- Remove possibilities for shell injection. These can all only be
  activated by workflow_dispatch input provided by people who already
  have access to the repository but still a good idea to tidy this up.
  Many of these occur in the build-package-docs actions. We should test
  everything to make sure nothing is broken by these changes.
- Explicitly set permissions. This is not strictly required, because we
  already enforce a limited set of default permissions in the repo's GHA
  settings, but zizmor wants us to be explicit.
- Use `persist-credentials: false` with the checkout action.
diff --git a/.github/workflows/build-package-docs.yaml b/.github/workflows/build-package-docs.yaml
@@ -51,6 +51,9 @@ name: Build and deploy docs
         - production
         - test
 
+permissions:
+  contents: read
+
 jobs:
   build-package-docs:
     name: 📝 Build
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -16,6 +16,9 @@ name: Ansible Docsite CI
     - ready_for_review  # used in PRs created from GitHub Actions workflows
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   nox:
     uses: ./.github/workflows/reusable-nox.yml
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -29,6 +29,9 @@
 
 name: "Triage Issues and PRs"
 
+permissions:
+  contents: read
+
 jobs:
   label_prs:
     runs-on: ubuntu-latest
@@ -48,6 +51,8 @@ jobs:
           private-key: ${{ secrets.BOT_APP_KEY }}
       - name: Checkout parent repository
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Install Python 3.12
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/pip-compile-dev.yml b/.github/workflows/pip-compile-dev.yml
@@ -13,6 +13,9 @@ name: "Refresh dev dependencies"
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   refresh:
     strategy:
@@ -71,4 +74,6 @@ jobs:
       python-versions: "${{ matrix.python-versions }}"
       reset-branch: "${{ inputs.reset-branch || false }}"
       labels: "${{ inputs.labels || 'no_backport,tooling' }}"
-    secrets: inherit
+    secrets:
+      BOT_APP_ID: "${{ secrets.BOT_APP_ID }}"
+      BOT_APP_KEY: "${{ secrets.BOT_APP_KEY }}"
diff --git a/.github/workflows/pip-compile-docs.yml b/.github/workflows/pip-compile-docs.yml
@@ -19,6 +19,9 @@ name: "Refresh docs build dependencies"
         required: false
         type: string
 
+permissions:
+  contents: read
+
 jobs:
   refresh:
     name: "Refresh docs build dependencies"
@@ -33,4 +36,6 @@ jobs:
       reset-branch: "${{ inputs.reset-branch || false }}"
       labels: "${{ inputs.labels || 'doc builds,no_backport' }}"
       python-versions: "3.12"
-    secrets: inherit
+    secrets:
+      BOT_APP_ID: "${{ secrets.BOT_APP_ID }}"
+      BOT_APP_KEY: "${{ secrets.BOT_APP_KEY }}"
diff --git a/.github/workflows/reusable-build-docs.yaml b/.github/workflows/reusable-build-docs.yaml
@@ -32,9 +32,6 @@ name: Build docs
       DOCS_BOT_TOKEN:
         required: true
 
-env:
-  PACKAGE_VERSION: ${{ inputs.ansible-package-version }}
-
 jobs:
   build-package-docs:
     runs-on: ubuntu-latest
@@ -50,6 +47,7 @@ jobs:
           }}
         ref: ${{ inputs.repository-branch }}
         path: build-directory
+        persist-credentials: false
 
     - name: Setup nox
       uses: wntrblm/nox@2025.10.16
@@ -68,19 +66,22 @@ jobs:
         -c tests/requirements.txt
       working-directory: build-directory
 
-    - name: Set the VERSION variable
-      run: echo VERSION="${PACKAGE_VERSION}" >> "${GITHUB_ENV}"
-
     - name: Build the Ansible community package docs
-      run: >-
-        make webdocs ${{
+      env:
+        PACKAGE_VERSION: "${{ inputs.ansible-package-version }}"
+      run: |
+        # Clear PACKAGE_VERSION if it's set to devel
+        if [ "${PACKAGE_VERSION}" = "devel" ]; then
+          PACKAGE_VERSION=""
+        fi
+        make webdocs ANSIBLE_VERSION="${PACKAGE_VERSION}" ${{
           inputs.generate-redirects && 'EXTRA_TAGS="-t redirects"' || ''
-        }} ANSIBLE_VERSION="${{
-          env.PACKAGE_VERSION != 'devel' && env.PACKAGE_VERSION || ''
-        }}"
+        }}
       working-directory: build-directory/docs/docsite
 
     - name: Create a tarball with the build contents
+      env:
+        PACKAGE_VERSION: "${{ inputs.ansible-package-version }}"
       run: >-
         tar -czvf
         ansible-package-docs-html-"${PACKAGE_VERSION}"-"$(date '+%Y-%m-%d')"-${{
diff --git a/.github/workflows/reusable-deploy-docs.yaml b/.github/workflows/reusable-deploy-docs.yaml
@@ -33,13 +33,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Log the workflow inputs if deployed
+      env:
+        deployment_environment: "${{ inputs.deployment-environment }}"
+        package_version: "${{ inputs.ansible-package-version }}"
+        owner: "${{ inputs.repository-owner }}"
+        branch: "${{ inputs.repository-branch }}"
       run: |
         {
           echo "## Deployment details :shipit:";
-          echo "Publish to: ${{ inputs.deployment-environment }}";
-          echo "Package version: ${{ inputs.ansible-package-version }}";
-          echo "Owner: ${{ inputs.repository-owner }}";
-          echo "Branch: ${{ inputs.repository-branch }}";
+          echo "Publish to: ${deployment_environment}";
+          echo "Package version: ${package_version}";
+          echo "Owner: ${owner}";
+          echo "Branch: ${branch}";
         } >> "${GITHUB_STEP_SUMMARY}"
 
   deploy-package-docs:
diff --git a/.github/workflows/reusable-nox.yml b/.github/workflows/reusable-nox.yml
@@ -38,6 +38,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Setup nox
         uses: wntrblm/nox@2025.10.16
         with:
@@ -46,7 +48,8 @@ jobs:
         run: |
           nox -e clone-core
       - name: "Run nox -e ${{ matrix.session }}"
+        # Using GHA expression interpolation is fine here,
+        # as we control all the inputs.
+        # zizmor: ignore[template-injection]
         run: |
-          # Using GHA expression interpolation is fine here,
-          # as we control all the inputs.
           nox -e "${{ matrix.session }}" -- ${{ matrix.extra-args }}
diff --git a/.github/workflows/reusable-pip-compile.yml b/.github/workflows/reusable-pip-compile.yml
@@ -35,23 +35,21 @@ name: "Refresh pinned dependencies"
       python-versions:
         type: string
         required: true
+
+permissions:
+  contents: read
+
 jobs:
   refresh:
     runs-on: ubuntu-latest
     environment: github-bot
     steps:
-      - name: Generate temp GITHUB_TOKEN
-        id: create_token
-        uses: actions/create-github-app-token@v2
-        with:
-          app-id: ${{ secrets.BOT_APP_ID }}
-          private-key: ${{ secrets.BOT_APP_KEY }}
       - name: Check out repo
         uses: actions/checkout@v5
         with:
           fetch-depth: 0
           ref: "${{ inputs.base-branch }}"
-          token: "${{ steps.create_token.outputs.token }}"
+          persist-credentials: false
       - name: Fetch required contents of ansible-core
         run: |
           python docs/bin/clone-core.py
@@ -78,11 +76,25 @@ jobs:
             echo "branch-exists=false" >> "${GITHUB_OUTPUT}"
             git switch -c "${pr_branch}"
           fi
+      - name: Generate temp GITHUB_TOKEN
+        id: create_token
+        uses: actions/create-github-app-token@v2
+        with:
+          app-id: ${{ secrets.BOT_APP_ID }}
+          private-key: ${{ secrets.BOT_APP_KEY }}
+      # We could rely on the checkout action to persist the token in the
+      # repository config, but this way, we can prevent the previous steps
+      # from having unnecessary access.
+      - name: "Set up token authentication"
+        run: gh auth setup-git --hostname github.com
       - name: "Run nox ${{ inputs.nox-args }}"
         env:
           # Ensure the latest pip version is used
           VIRTUALENV_DOWNLOAD: '1'
-          #
+        # nox-args is defined statically in the calling workflows and passing it
+        # as a shell variable presents quoting issues, so ignore zizmor error
+        # for now.
+        # zizmor: ignore[template-injection]
         run: |
           nox ${{ inputs.nox-args }}
       - name: Push new dependency versions and create a PR
diff --git a/.github/workflows/tag.yml b/.github/workflows/tag.yml
@@ -11,6 +11,9 @@ name: Sync tags with ansible-core releases
   schedule:
     - cron: "0 * * * *"  # Hourly
 
+permissions:
+  contents: read  # read-only because we use bot token to push
+
 jobs:
   tag:
     runs-on: "ubuntu-latest"
@@ -30,12 +33,14 @@ jobs:
           path: ansible-documentation
           fetch-depth: 0
           token: "${{ steps.create_token.outputs.token }}"
+          persist-credentials: true
       - name: Check out core
         uses: actions/checkout@v5
         with:
           repository: ansible/ansible
           path: ansible
           fetch-depth: 0
+          persist-credentials: false
       - name: Setup nox
         uses: wntrblm/nox@2025.10.16
         with:
