ci: add zizmor

Author: Thegaram

.github/workflows/bump_version.yml

@@ -14,6 +14,8 @@ jobs:
   try-to-bump:
     if: contains(github.event.pull_request.labels.*.name, 'bump-version')
     runs-on: ubuntu-latest
+    permissions: {}
+
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
@@ -29,7 +31,7 @@ jobs:
           # fetch develop branch so that we can diff against later
           git fetch origin develop
 
-          echo 'checking verion changes in diff...'
+          echo 'checking version changes in diff...'
 
           # check if version changed in version.go
           # note: the grep will fail if use \d instead of [0-9]

.github/workflows/docker-arm64.yaml

@@ -11,6 +11,8 @@ on:
 jobs:
   build-and-push-arm64-image:
     runs-on: ubuntu-latest
+    permissions: {}
+
     strategy:
       matrix:
         arch:
@@ -32,6 +34,7 @@ jobs:
         uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # v2.10.0
         with:
           cache-binary: false
+
       - name: Login to Docker Hub
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0
         with:

.github/workflows/docker.yaml

@@ -10,6 +10,8 @@ on:
 jobs:
   build-and-push:
     runs-on: ubuntu-latest
+    permissions: {}
+
     steps:
     - name: Checkout code
       uses: actions/checkout@v2

.github/workflows/l2geth_ci.yml

@@ -1,3 +1,5 @@
+name: CI
+
 on:
   push:
     branches: # we keep this to avoid triggering `push` & `pull_request` every time we update a PR
@@ -11,12 +13,12 @@ on:
       - reopened
       - synchronize
       - ready_for_review
-name: CI
-jobs:
 
+jobs:
   build-mock-ccc-geth: # build geth with mock circuit capacity checker
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -35,6 +37,7 @@ jobs:
   build-geth: # build geth with circuit capacity checker
     if: github.event_name == 'push' # will only be triggered when pushing to main & staging & develop & alpha
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -62,6 +65,7 @@ jobs:
   check:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -81,6 +85,7 @@ jobs:
   goimports-lint:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -107,6 +112,7 @@ jobs:
   go-mod-tidy-lint:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2
@@ -130,6 +136,7 @@ jobs:
   test:
     if: github.event.pull_request.draft == false
     runs-on: ubuntu-latest
+    permissions: {}
     steps:
     - name: Install Go
       uses: actions/setup-go@v2

.github/workflows/semgrep.yml

@@ -15,6 +15,7 @@ jobs:
   semgrep:
     name: semgrep/ci
     runs-on: ubuntu-20.04
+    permissions: {}
     env:
       SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
     container:

.github/workflows/zizmor.yml

@@ -0,0 +1,34 @@
+name: zizmor GA Security Analysis
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+jobs:
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 # v5.3.1
+
+      - name: Run zizmor
+        run: uvx zizmor --format sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif
+          category: zizmor