ci: security fixes in github actions as suggested by zizmor

Author: mahlau-flex

.github/workflows/tidy3d-docs-sync-readthedocs-repo.yml

@@ -18,6 +18,9 @@ on:
       - 'v*'
       - 'demo/*'
 
+permissions:
+  contents: read
+
 jobs:
   extract_branch_or_tag:
     outputs:
@@ -46,6 +49,7 @@ jobs:
           fetch-depth: 0
           ref: ${{ needs.extract_branch_or_tag.outputs.ref_name }}
           fetch-tags: true
+          persist-credentials: true
 
       - name: push-mirror-repo
         env:

.github/workflows/tidy3d-python-client-daily.yml

@@ -6,18 +6,18 @@ on:
     - cron: '0 5 * * *' # Runs at 5am UTC
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read
 
 jobs:
   update-lockfile:
     uses: ./.github/workflows/tidy3d-python-client-update-lockfile.yml
+    permissions:
+      contents: write
+      pull-requests: write
     with:
       run-workflow: true
-    secrets: inherit
 
   submodule-tests:
     uses: ./.github/workflows/tidy3d-python-client-submodules-test.yml
     with:
       run-workflow: true
-    secrets: inherit

.github/workflows/tidy3d-python-client-develop-cli.yml

@@ -9,6 +9,9 @@ on:
       - develop
       - latest
 
+permissions:
+  contents: read
+
 jobs:
   test-dev-commands:
     strategy:
@@ -23,6 +26,7 @@ jobs:
         ref: develop
         fetch-depth: 1
         submodules: false
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v5
@@ -58,9 +62,9 @@ jobs:
       #  -----  install & configure poetry  -----
       #----------------------------------------------
     - name: Install Poetry
-      uses: snok/install-poetry@v1
+      uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a  # v1.4.1
       with:
-        version: 1.8.2
+        version: 2.1.1
         virtualenvs-create: true
         virtualenvs-in-project: true
 

.github/workflows/tidy3d-python-client-release.yml

@@ -1,13 +1,13 @@
 name: "public/tidy3d/python-client-release"
 
-permissions:
-  contents: write
-
 on:
   push:
     tags:
       - 'v*.*.*'
 
+permissions:
+  contents: read
+
 jobs:
   test-latest-submodules:
     runs-on: ubuntu-latest
@@ -19,6 +19,7 @@ jobs:
           submodules: 'recursive'
           # This fetches only a single branch by default, so additional fetch is needed
           fetch-depth: 0 # Optionally, set to 0 to fetch all history for all branches and tags
+          persist-credentials: false
 
       - name: Initialize and update submodule
         run: |
@@ -74,20 +75,23 @@ jobs:
 
   github-release:
     runs-on: ubuntu-latest
+    permissions:
+        contents: write
     steps:
     - uses: actions/checkout@v4
       with:
         ref: ${{ github.ref }}
+        persist-credentials: false
     - name: Exit if any RC release
       if: contains(github.ref, 'rc') == false
-      uses: everlytic/branch-merge@1.1.2
+      uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973 # v1.1.5
       with:
         github_token: ${{ secrets.GH_PAT }}
         source_ref: ${{ github.ref }}
         target_branch: "latest"
         commit_message_template: ':tada: RELEASE: Merged {source_ref} into target {target_branch}'
     - name: Release
-      uses: softprops/action-gh-release@v1
+      uses: softprops/action-gh-release@aec2ec56f94eb8180ceec724245f64ef008b89f5  # v2.4.0
       with:
         generate_release_notes: true      
       env:
@@ -98,6 +102,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         ref: ${{ github.ref }}
+        persist-credentials: false
     - uses: actions/setup-python@v2
     - name: Install dependencies
       run: |
@@ -107,18 +112,19 @@ jobs:
       env:
         TWINE_USERNAME: __token__
         TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-      run: |
+      run: | # zizmor: ignore[use-trusted-publishing]
         python -m build
-        python -m twine upload --repository pypi dist/*
+        python -m twine upload --repository pypi dist/*  
   sync_to_develop:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
       with:
         ref: "latest"
+        persist-credentials: false
     - name: Exit if any RC release
       if: contains(github.ref, 'rc') == false
-      uses: everlytic/branch-merge@1.1.2
+      uses: everlytic/branch-merge@c4a244dc23143f824ae6c022a10732566cb8e973 # v1.1.5
       with:
         github_token: ${{ secrets.GH_PAT }}
         source_ref: "latest"

.github/workflows/tidy3d-python-client-submodules-test.yml

@@ -22,6 +22,9 @@ on:
         type: boolean
         default: true
 
+permissions:
+  contents: read
+
 jobs:
   test-latest-submodules:
     runs-on: ubuntu-latest
@@ -33,6 +36,7 @@ jobs:
           submodules: 'recursive'
           # This fetches only a single branch by default, so additional fetch is needed
           fetch-depth: 0 # Optionally, set to 0 to fetch all history for all branches and tags
+          persist-credentials: true
 
       - name: Initialize and update submodule
         run: |

.github/workflows/tidy3d-python-client-tests.yml

@@ -23,7 +23,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 jobs:
   determine-test-scope:
@@ -164,7 +163,8 @@ jobs:
         with:
           fetch-depth: 1
           submodules: false
-      - uses: astral-sh/ruff-action@v3
+          persist-credentials: false
+      - uses: astral-sh/ruff-action@57714a7c8a2e59f32539362ba31877a1957dded1 # v3.5.1
         with:
           version: 0.11.11
       - name: Run ruff format
@@ -185,8 +185,24 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v6.7.0
+
       - name: Run zizmor 🌈
-        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
+        run: uvx zizmor .github/workflows/* --format=sarif . > results.sarif 
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.30.3
+        with:
+          sarif_file: results.sarif
+          category: zizmor
+      
+      - name: run zizmor directly  # this gets a success or fail result
+        run: uvx zizmor  .github/workflows/*
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
 
   lint-branch-name:
     needs: determine-test-scope
@@ -199,14 +215,16 @@ jobs:
       - name: extract-branch-name
         id: extract-branch-name
         run: |
-          BRANCH_NAME="${{ github.head_ref }}"
+          BRANCH_NAME="${GITHUB_HEAD_REF}"
           echo "Branch name: $BRANCH_NAME"
           echo "branch_name=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
       - name: enforce-jira-key
         id: enforce-jira-key
+        env:
+          STEPS_EXTRACT_BRANCH_NAME_OUTPUTS_BRANCH_NAME: ${{ steps.extract-branch-name.outputs.branch_name }}
         run: |
-          BRANCH_NAME="${{ steps.extract-branch-name.outputs.branch_name }}"
+          BRANCH_NAME="${STEPS_EXTRACT_BRANCH_NAME_OUTPUTS_BRANCH_NAME}"
           echo $BRANCH_NAME
           JIRA_PATTERN='[A-Z]{2,}-[0-9]+'
 
@@ -246,6 +264,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0  # fetch all commits in the PR
+          persist-credentials: false
 
       - name: Setup node
         uses: actions/setup-node@v4
@@ -264,9 +283,11 @@ jobs:
         
       - name: Check commit messages (merge_group)
         if: github.event_name == 'merge_group'
+        env:
+          GITHUB_EVENT_MERGE_GROUP_HEAD_SHA: ${{ github.event.merge_group.head_sha }}
         run: |
           # For merge groups, check the commits being merged
-          npx commitlint --from ${{ github.event.merge_group.base_sha }} --to ${{ github.event.merge_group.head_sha }} --verbose || {
+          npx commitlint --from ${{ github.event.merge_group.base_sha }} --to ${GITHUB_EVENT_MERGE_GROUP_HEAD_SHA} --verbose || {
             echo "Commit message linting failed; please follow the conventional commits format at https://www.conventionalcommits.org/"
             exit 1
           }
@@ -288,6 +309,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
+          persist-credentials: false
 
       - name: git-config
         run: |
@@ -324,13 +346,16 @@ jobs:
      
       - name: run-schema-diff
         id: schema-diff
+        env:
+          GITHUB_EVENT_PULL_REQUEST_BASE_REPO_FULL_NAME: ${{ github.event.pull_request.base.repo.full_name }}
+          GITHUB_EVENT_PULL_REQUEST_BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
           set -euo pipefail
           cd "$GITHUB_WORKSPACE"
 
           # Determine base repo/ref for PRs; default to current repo and 'develop' otherwise
-          BASE_REPO="${{ github.event.pull_request.base.repo.full_name }}"
-          BASE_REF="${{ github.event.pull_request.base.ref }}"
+          BASE_REPO="${GITHUB_EVENT_PULL_REQUEST_BASE_REPO_FULL_NAME}"
+          BASE_REF="${GITHUB_EVENT_PULL_REQUEST_BASE_REF}"
           if [ -z "$BASE_REPO" ]; then
             BASE_REPO="${{ github.repository }}"
           fi
@@ -375,9 +400,11 @@ jobs:
       
       - name: verify-allowed-changes
         if: steps.schema-diff.outputs.changed == 'true'
+        env:
+          STEPS_GET_VERSION_OUTPUTS_VERSION: ${{ steps.get-version.outputs.version }}
         run: |
           set -e
-          version="${{ steps.get-version.outputs.version }}"
+          version="${STEPS_GET_VERSION_OUTPUTS_VERSION}"
           if [[ "$version" == *rc* ]]; then
             echo "✅ Passing: Schema changed on a release candidate version ($version), which is permitted."
           else
@@ -403,12 +430,14 @@ jobs:
     env:  # Set environment variables for the whole job
       PIP_ONLY_BINARY: gdstk
       MPLBACKEND: agg
-
+    permissions:
+        pull-requests: write
     steps:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0 # Required 0 for diff report.
         submodules: false
+        persist-credentials: false
 
     - name: install-project
       env:
@@ -449,11 +478,13 @@ jobs:
         matrix.python-version == '3.13' &&
         github.event_name == 'pull_request' &&
         !contains(github.event.pull_request.labels.*.name, 'ignore_diff_coverage')
+      env:
+        GITHUB_EVENT_PULL_REQUEST_BASE_REF: ${{ github.event.pull_request.base.ref }}
       run: |
         source ${GITHUB_WORKSPACE}/.venv/bin/activate
         git config --global --add safe.directory ${GITHUB_WORKSPACE}
         diff-cover ${GITHUB_WORKSPACE}/coverage.xml \
-          --compare-branch origin/${{ github.event.pull_request.base.ref }} \
+          --compare-branch origin/${GITHUB_EVENT_PULL_REQUEST_BASE_REF} \
           --format markdown:diff-coverage.md
 
     - uses: actions/github-script@v7
@@ -519,9 +550,10 @@ jobs:
       with:
         fetch-depth: 1
         submodules: false
+        persist-credentials: false
 
     - name: install-poetry
-      uses: snok/install-poetry@v1
+      uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a  # v1.4.1
       with:
         version: 2.1.1
         virtualenvs-create: true
@@ -534,7 +566,6 @@ jobs:
 
     - name: install-project
       shell: bash
-      if: ${{ matrix.platform }} != "windows-latest"
       run: |
         poetry --version
         python --version
@@ -570,7 +601,7 @@ jobs:
     - name: create-badge
       if: ${{ github.ref == 'refs/heads/develop' }}
       # https://gist.githubusercontent.com/nedbat/8c6980f77988a327348f9b02bbaf67f5
-      uses: schneegans/dynamic-badges-action@v1.7.0
+      uses: schneegans/dynamic-badges-action@e9a478b16159b4d31420099ba146cdc50f134483  # v1.7.0
       with:
         auth: ${{ secrets.GH_TIDY3D_COVERAGE_GIST }}
         gistID: 4702549574741e87deaadba436218ebd
@@ -598,15 +629,24 @@ jobs:
       - lint-branch-name
       - zizmor
     runs-on: ubuntu-latest
+    env:
+      NEEDS_LOCAL_TESTS_RESULT: ${{ needs.local-tests.result }}
+      NEEDS_REMOTE_TESTS_RESULT: ${{ needs.remote-tests.result }}
+      NEEDS_LINT_RESULT: ${{ needs.lint.result }}
+      NEEDS_VERIFY_SCHEMA_CHANGE_RESULT: ${{ needs.verify-schema-change.result }}
+      NEEDS_LINT_COMMIT_MESSAGES_RESULT: ${{ needs.lint-commit-messages.result }}
+      NEEDS_LINT_BRANCH_NAME_RESULT: ${{ needs.lint-branch-name.result }}
+      NEEDS_ZIZMOR_RESULT: ${{ needs.zizmor.result }}
     steps:
       - name: check-linting-result
         if: ${{ needs.lint.result != 'success' }}
         run: |
           echo "❌ Linting failed."
           exit 1
-
+          
       - name: check-schema-change-verification
         if: ${{ needs.verify-schema-change.result != 'success' }}
+        
         run: |
           echo "❌ Schema change verification failed."
           exit 1