ci: add zizmor

[Thegaram]

1. Purpose or design rationale of this PR

Add GitHub Action static analysis tool recommended during the recent audit.

2. PR title

Your PR title must follow conventional commits (as we are doing squash merge for each PR), so it must start with one of the following types:

• ci: Changes to our CI configuration files and scripts (example scopes: vercel, github, cypress)

3. Deployment tag versioning

Has the version in params/version.go been updated?

• This PR doesn't involve a new deployment, git tag, docker image tag, and it doesn't affect traces

4. Breaking change label

Does this PR have the breaking-change label?

• This PR is not a breaking change

Summary by CodeRabbit

• New Features

  • Introduced an automated security analysis process that runs on branch pushes and pull requests, enhancing overall project security visibility.

• Chores

  • Enhanced various automation workflows for version management, container builds, and continuous integration with updated dependency configurations and explicit permissions.
  • Added a new workflow for security analysis using the Zizmor tool.

[coderabbitai]

Warning

Rate limit exceeded

@Thegaram has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 1 minutes and 55 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between bfa7d99 and 2aadf99.

📒 Files selected for processing (1)

• .github/workflows/zizmor.yml (1 hunks)

Walkthrough

The PR updates several GitHub Actions workflow files by explicitly defining permissions for various jobs and correcting minor mistakes. Changes include updating action versions, adding empty or specific permissions blocks, correcting typos, and introducing a new workflow for running Zizmor security analysis with steps for code checkout, tool installation, analysis execution, and SARIF report uploading.

Changes

File(s)	Change Summary
.github/workflows/bump_version.yml	Adds a permissions block with contents: write for the try-to-bump job; updates actions/checkout from v3 to v4 with persist-credentials: true; fixes a typo in an echo statement; updates stefanzweifel/git-auto-commit-action to v5.1.0 and adds commit_author: bump-version-bot.
.github/workflows/docker-arm64.yaml, .github/workflows/docker.yaml, .github/workflows/semgrep.yml, .github/workflows/l2geth_ci.yml	Introduces empty permissions blocks in jobs to explicitly set default permissions; in l2geth_ci.yml, duplicates the name: CI line at the beginning.
.github/workflows/zizmor.yml	Adds a new workflow for Zizmor security analysis triggered on pushes/PRs; includes steps for checking out code (using actions/checkout@v4), installing the uv tool, running analysis with uvx zizmor --format sarif ., and uploading the SARIF report.

Sequence Diagram(s)

sequenceDiagram
    participant Trigger as GitHub Trigger
    participant W as Workflow Engine
    participant Checkout as Checkout Action
    participant Installer as UV Installer
    participant Analyzer as Zizmor Analyzer
    participant Uploader as SARIF Uploader

    Trigger->>W: Trigger on push/PR
    W->>Checkout: Checkout repository (v4)
    Checkout-->>W: Code available
    W->>Installer: Run astral-sh/setup-uv to install uv tool
    Installer-->>W: uv tool installed
    W->>Analyzer: Execute "uvx zizmor --format sarif ."
    Analyzer-->>W: Generate SARIF results
    W->>Uploader: Upload SARIF file via codeql-action
    Uploader-->>W: SARIF file uploaded

Loading

Possibly related PRs

• ci: fix TOB-SCREUC-8, do not persist git credentials #1139: Involves modifications to .github/workflows/bump_version.yml, particularly handling the persist-credentials setting in the checkout step.
• feat(txpool): add logs to track txns #1046: Related changes to the VersionPatch constant in params/version.go, incrementing it from 26 to 27.

Suggested Reviewers

• georgehao
• colinlyguo
• omerfirmak

Poem

I'm a hopping rabbit, full of cheer,
In workflows and scripts, my leaps are clear.
Permissions set with precise command,
Version bumps and fixes all well planned.
From Zizmor scans to secure code flights,
I celebrate these changes under moonlit nights!
(_/)

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (3)

.github/workflows/zizmor.yml (3)

1-2: Header and Workflow Name Clarity
The workflow name is clear and descriptive. Consider adding a brief comment at the top explaining the purpose of this workflow (e.g., running Zizmor security analysis) to aid future maintainers.

---

3-8: Event Triggers and Branch Filters
The workflow triggers on pushes to the "main" branch and pull requests for all branches. Please double-check if using "**" for pull_request branch filtering is intentional, as it effectively matches every branch.

---

35-35: Minor Formatting Note
A newline at the end of the file can improve readability and prevent potential issues with some tools.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 94fcd7d and 2c4aa45.

📒 Files selected for processing (6)

• .github/workflows/bump_version.yml (2 hunks)
• .github/workflows/docker-arm64.yaml (2 hunks)
• .github/workflows/docker.yaml (1 hunks)
• .github/workflows/l2geth_ci.yml (7 hunks)
• .github/workflows/semgrep.yml (1 hunks)
• .github/workflows/zizmor.yml (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test

🔇 Additional comments (16)

.github/workflows/semgrep.yml (1)

18-18: Permissions Block Added

The explicit addition of permissions: {} for the semgrep job now clearly defines its permission context. This change aligns with the overall security approach and standardizes permission settings across workflows.

.github/workflows/bump_version.yml (2)

17-18: Explicit Permissions Declaration

The addition of an empty permissions: {} block in the try-to-bump job explicitly sets the job’s permission context. This consistency improves security clarity without changing the job behavior.

---

34-34: Echo Message Correction

Updating the echo statement to read "checking version changes in diff..." improves clarity by fixing the previous typographical error. Nice catch!

.github/workflows/docker-arm64.yaml (1)

14-14: Permissions Block for Docker-arm64 Job

The addition of permissions: {} in the build-and-push-arm64-image job explicitly controls the job’s permissions. This update is consistent with other workflows and enhances security clarity.

.github/workflows/docker.yaml (1)

13-14: Defining Explicit Permissions

The explicit inclusion of permissions: {} in the build-and-push job ensures that the job’s permission context is clearly defined. This approach aligns with the updated security practices across all CI workflows.

.github/workflows/l2geth_ci.yml (6)

1-2: Workflow Naming Update

The workflow now includes the explicit name "CI" at the top. While this improves clarity, verify that using a generic name does not conflict with naming conventions for similar workflows.

---

21-21: Permissions Block for build-mock-ccc-geth Job

Adding permissions: {} here explicitly sets the permissions for the build-mock-ccc-geth job. This ensures a well-defined security context consistent with the rest of the workflows.

---

40-40: Permissions Block for build-geth Job

The insertion of permissions: {} clarifies the permission settings for the build-geth job. Confirm that no additional permissions are needed for any step in this job.

---

68-68: Permissions Block for Check Job

Explicitly declaring permissions: {} for the check job establishes a consistent security baseline. This change follows the same pattern applied across the CI workflows.

---

115-115: Permissions Block for go-mod-tidy-lint Job

The addition of permissions: {} for the go-mod-tidy-lint job ensures that its permission context is explicitly managed. This is in line with the overall improvements across the workflows.

---

139-139: Permissions Block for Test Job

Adding an explicit permissions: {} for the test job brings clarity by defining its operational context explicitly. This consistency across all jobs is beneficial.

.github/workflows/zizmor.yml (5)

9-15: Jobs Configuration and Permissions
The job "zizmor" is configured to run on the latest Ubuntu image with an explicit permissions block (security-events: write), which is a good security practice. Confirm if no further permissions are needed for subsequent steps.

---

16-21: Repository Checkout Step
Using actions/checkout@v4 with persist-credentials: false is appropriate for security. This step is implemented correctly.

---

22-24: UV Installation Step
The step to install uv uses a pinned commit (astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231), ensuring reproducibility. Just remember to update the commit hash in the future when newer stable versions are available if needed.

---

25-29: Running Zizmor Analysis
The command uvx zizmor --format sarif . > results.sarif appears correctly formed, and setting the GH_TOKEN from secrets ensures secure authentication. Verify that the generated results.sarif file is in the expected location for the subsequent upload step.

---

30-34: SARIF File Upload Step
Uploading the SARIF file using github/codeql-action/upload-sarif@v3 with the specified category "zizmor" is implemented correctly. It would be beneficial to ensure the file path remains consistent between steps in case of any directory changes.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2c4aa45 and 508105b.

📒 Files selected for processing (1)

• .github/workflows/bump_version.yml (2 hunks)

🧰 Additional context used

🪛 actionlint (1.7.4)

.github/workflows/bump_version.yml

18-18: unknown permission scope "content". all available permission scopes are "actions", "attestations", "checks", "contents", "deployments", "discussions", "id-token", "issues", "packages", "pages", "pull-requests", "repository-projects", "security-events", "statuses"

(permissions)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: test

🔇 Additional comments (1)

.github/workflows/bump_version.yml (1)

35-35: Echo Message Clarity Improvement

The echo statement now correctly spells "version" (previously misspelled as "verion"), improving the clarity of log outputs.