ci: add zizmor for github actions security

.github/workflows/ci.yml

@@ -113,7 +113,7 @@ jobs:
           save-cache: ${{ github.ref_name == 'main' }}
       - run: rustup target add wasm32-wasip1-threads
       - uses: bytecodealliance/actions/wasmtime/setup@v1
-      - run: cargo test --target wasm32-wasip1-threads ${{ env.TEST_FLAGS }}
+      - run: cargo test --target wasm32-wasip1-threads ${TEST_FLAGS}
       - run: git diff --exit-code # Must commit everything
 
   test-wasm32-unknown-unknown:

.github/workflows/ci_security.yml

@@ -0,0 +1,40 @@
+name: GitHub Actions Security Analysis
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types: [opened, synchronize]
+    paths:
+      - ".github/workflows/**"
+  push:
+    branches:
+      - main
+      - "renovate/**"
+    paths:
+      - ".github/workflows/**"
+
+jobs:
+  zizmor:
+    name: zizmor latest via PyPI
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v4
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor

.github/workflows/pr.yml

@@ -1,7 +1,7 @@
 name: Check PR
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - opened
       - edited

.github/workflows/prepare_release_oxlint.yml

@@ -10,11 +10,6 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
-permissions:
-  pull-requests: write
-  contents: write
-  actions: write
-
 jobs:
   prepare:
     name: Prepare Release Oxlint
@@ -28,6 +23,9 @@ jobs:
     needs: prepare
     name: Trigger Ecosystem CI
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+      contents: write
     steps:
       - uses: taiki-e/checkout-action@v1
 
@@ -50,6 +48,8 @@ jobs:
     needs: prepare
     name: Update oxc.rs
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
     steps:
       - uses: taiki-e/checkout-action@v1
       - uses: benc-uk/workflow-dispatch@v1

.github/workflows/release_crates.yml

@@ -8,10 +8,6 @@ on:
     paths:
       - crates/oxc/Cargo.toml
 
-permissions:
-  contents: write
-  actions: write
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -20,10 +16,14 @@ jobs:
   release:
     name: Release crates
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      actions: write
     steps:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.PAT }} # required for git tag push
+          persist-credentials: false
 
       - uses: Boshen/setup-rust@main
         with:
@@ -41,6 +41,8 @@ jobs:
           echo "TAG=$(cat ./target/OXC_VERSION)" >> $GITHUB_OUTPUT
 
       - name: Tag and Push
+        env:
+          TAG_NAME: ${{ steps.run.outputs.TAG }}
         run: |
-          git tag ${{ steps.run.outputs.TAG }}
-          git push origin tag ${{ steps.run.outputs.TAG }}
+          git tag ${TAG_NAME}
+          git push origin tag ${TAG_NAME}

.github/workflows/release_napi_parser.yml

@@ -35,9 +35,12 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
-          echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
+          echo "version=${VERSION_TYPE}" >> $GITHUB_ENV
 
   build:
     needs: check

.github/workflows/release_napi_transform.yml

@@ -35,9 +35,12 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
-          echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_NUMBER})"
+          echo "version=${VERSION_NUMBER}" >> $GITHUB_ENV
 
   build:
     needs: check

.github/workflows/release_oxlint.yml

@@ -32,8 +32,10 @@ jobs:
 
       - name: Print version
         if: steps.version.outputs.changed == 'true'
+        env:
+          NEW_VERSION: ${{ steps.version.outputs.version }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }}"
+          echo "Version change found! New version: ${NEW_VERSION}"
 
   build:
     needs: check
@@ -150,6 +152,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0 # for changelog
+          persist-credentials: false
 
       - uses: Boshen/setup-rust@main
         with:
@@ -227,10 +230,12 @@ jobs:
     container: ${{ matrix.container }}
     steps:
       - name: Test
+        env:
+          OXLINT_VERSION: ${{ needs.check.outputs.version}}
         run: |
           touch test.js
           ldd --version || true
-          npx oxlint@${{ needs.check.outputs.version }} ./test.js
+          npx oxlint@${OXLINT_VERSION} ./test.js
 
   eslint-plugin-oxlint:
     needs: [check, publish]

.github/workflows/release_types.yml

@@ -32,8 +32,11 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
 
   build:
     needs: check

.github/workflows/release_vscode.yml

@@ -36,9 +36,12 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
-          echo "version=${{ steps.version.outputs.version }}" >> $GITHUB_ENV
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
+          echo "version=${VERSION_NUMBER}" >> $GITHUB_ENV
 
   build:
     needs: check

.github/workflows/release_wasm.yml

@@ -32,8 +32,11 @@ jobs:
 
       - name: Set version name
         if: steps.version.outputs.changed == 'true'
+        env:
+          VERSION_NUMBER: ${{ steps.version.outputs.version }}
+          VERSION_TYPE: ${{ steps.version.outputs.version_type }}
         run: |
-          echo "Version change found! New version: ${{ steps.version.outputs.version }} (${{ steps.version.outputs.version_type }})"
+          echo "Version change found! New version: ${VERSION_NUMBER} (${VERSION_TYPE})"
 
   build:
     needs: check

.github/workflows/reusable_prepare_release.yml

@@ -27,6 +27,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: Boshen/setup-rust@main
         with:
@@ -35,9 +36,11 @@ jobs:
 
       - name: Run
         id: run
+        env:
+          RELEASE_NAME: ${{ inputs.name }}
         run: |
           cargo ck
-          cargo release-oxc update --release ${{ inputs.name }}
+          cargo release-oxc update --release ${RELEASE_NAME}
           echo "VERSION=$(cat ./target/OXC_VERSION)" >> $GITHUB_OUTPUT
           {
             echo 'CHANGELOG<<EOF'