Hardening release github workflows

.github/workflows/_build-release.yml

@@ -74,17 +74,20 @@ jobs:
           #- target: aarch64-pc-windows-msvc
           #  os: windows-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.ref }}
+          persist-credentials: false
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           target: ${{ matrix.target }}
 
       - name: Install cross
         if: matrix.cross
-        uses: taiki-e/install-action@cross
+        uses: taiki-e/install-action@899b013517f9e7774591216672bf75a46bb9a481 # v2.9.4
+        with:
+          tool: cross
 
       - name: Enable cross-compilation
         if: matrix.cross
@@ -94,15 +97,17 @@ jobs:
       - name: Build
         run: ${{ env.CARGO }} build --release --locked --target ${{ matrix.target }} --workspace --exclude scarb-prove --exclude scarb-verify ${{ !inputs.include-cairols && '--exclude scarb-cairo-language-server' || ''}} --no-default-features ${{ inputs.include-lint && '--features scarb/scarb-lint' || ''}}
 
-      - uses: dtolnay/rust-toolchain@master
+      - uses: dtolnay/rust-toolchain@3c5f7ea28cd621ae0bf5283f0e981fb97b8a7af9 # master
         if: inputs.include-stwo
         with:
           target: ${{ matrix.target }}
           toolchain: ${{ env.RUST_NIGHTLY_TOOLCHAIN }}
 
       - name: Install cross
         if: matrix.cross && inputs.include-stwo
-        uses: taiki-e/install-action@cross
+        uses: taiki-e/install-action@899b013517f9e7774591216672bf75a46bb9a481 # v2.9.4
+        with:
+          tool: cross
 
       - name: Enable cross-compilation
         if: matrix.cross && inputs.include-stwo
@@ -113,7 +118,7 @@ jobs:
         if: inputs.include-stwo
         run: ${{ env.CARGO }} build --release --locked --target ${{ matrix.target }} -p scarb-prove -p scarb-verify
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           target: ${{ matrix.target }}
 
@@ -124,7 +129,7 @@ jobs:
           TARGET: ${{ matrix.target }}
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: build-${{ matrix.target }}
           path: scarb-${{ inputs.scarb-tag }}-${{ matrix.target }}.*
@@ -151,17 +156,18 @@ jobs:
             os: windows-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ inputs.ref }}
+          persist-credentials: false
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
 
       - name: Build xtasks
         run: cargo build -p xtask
 
       - name: Download artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: build-${{ matrix.target }}
           path: target/verify
@@ -179,7 +185,7 @@ jobs:
     needs: build
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: artifacts-dl
 
@@ -195,7 +201,7 @@ jobs:
           cat checksums.sha256
 
       - name: Upload artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: checksums
           path: artifacts/checksums.*

.github/workflows/build-dev.yml

@@ -36,10 +36,16 @@ on:
         type: boolean
         default: true
 
+permissions: {}
+
 jobs:
   dev-build:
     uses: ./.github/workflows/nightly.yml
-    secrets: inherit
+    permissions:
+      contents: write
+    secrets:
+      SCARB_NIGHTLIES_CONTENTS_WRITE: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }}
+      SLACK_NIGHTLY_FAILURE_WEBHOOK_URL: ${{ secrets.SLACK_NIGHTLY_FAILURE_WEBHOOK_URL }}
     with:
       dry_run: ${{ inputs.dry_run }}
       upgrade-cairo: ${{ inputs.upgrade-cairo }}

.github/workflows/nightly.yml

@@ -200,11 +200,14 @@ jobs:
       - uses: actions/checkout@v6
         with:
           ref: ${{ needs.prepare.outputs.nightly_branch }}
+          persist-credentials: false
 
       - name: Create source code archives
         run: |
-          git archive "--prefix=scarb-${{ needs.prepare.outputs.nightly_tag }}/" -o "scarb-${{ needs.prepare.outputs.nightly_tag }}.zip" HEAD
-          git archive "--prefix=scarb-${{ needs.prepare.outputs.nightly_tag }}/" -o "scarb-${{ needs.prepare.outputs.nightly_tag }}.tar.gz" HEAD
+          git archive "--prefix=scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}/" -o "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.zip" HEAD
+          git archive "--prefix=scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}/" -o "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.tar.gz" HEAD
+        env:
+          NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }}
 
       - name: Download artifacts
         uses: actions/download-artifact@v8
@@ -221,20 +224,21 @@ jobs:
       - name: Create GitHub release
         run: |
           gh release create \
-            "${{ needs.prepare.outputs.nightly_tag }}" \
+            "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \
             --repo software-mansion/scarb-nightlies \
             ${{ !inputs.is_dev && '--latest' || '--latest=false' }} \
-            --title "${{ needs.prepare.outputs.nightly_tag }}" \
+            --title "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \
             --notes-file NIGHTLY_RELEASE_NOTES.md
         env:
           GH_TOKEN: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }}
+          NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }}
 
       - name: Upload release assets
         run: |
           for file in \
             ./artifacts/* \
-            "scarb-${{ needs.prepare.outputs.nightly_tag }}.zip#Scarb source code (zip)" \
-            "scarb-${{ needs.prepare.outputs.nightly_tag }}.tar.gz#Scarb source code (tar.gz)"
+            "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.zip#Scarb source code (zip)" \
+            "scarb-${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}.tar.gz#Scarb source code (tar.gz)"
           do
             # If there isn't # in name, it means that it is a build artifact
             # and we need to remove version tag from the name, so it can be
@@ -251,12 +255,13 @@ jobs:
             fi
 
             gh release upload \
-              "${{ needs.prepare.outputs.nightly_tag }}" \
+              "${NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG}" \
               "$file" \
               --repo software-mansion/scarb-nightlies
           done
         env:
           GH_TOKEN: ${{ secrets.SCARB_NIGHTLIES_CONTENTS_WRITE }}
+          NEEDS_PREPARE_OUTPUTS_NIGHTLY_TAG: ${{ needs.prepare.outputs.nightly_tag }}
 
   cleanup:
     runs-on: ubuntu-latest
@@ -266,7 +271,9 @@ jobs:
       - uses: actions/checkout@v6
       - name: Delete nightly branch
         run: |
-          git push origin -d ${{ needs.prepare.outputs.nightly_branch }}
+          git push origin -d ${NEEDS_PREPARE_OUTPUTS_NIGHTLY_BRANCH}
+        env:
+          NEEDS_PREPARE_OUTPUTS_NIGHTLY_BRANCH: ${{ needs.prepare.outputs.nightly_branch }}
 
   notify_failed:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -5,8 +5,7 @@ on:
     tags:
       - v[0-9]+.*
 
-permissions:
-  contents: write
+permissions: {}
 
 jobs:
   check:
@@ -22,11 +21,15 @@ jobs:
     name: draft release
     runs-on: ubuntu-latest
     needs: [ check, release ]
+    permissions:
+      contents: write
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           path: artifacts-dl
 
@@ -40,11 +43,12 @@ jobs:
       - name: Draft GitHub release
         run: |
           gh release create \
-            '${{ github.ref_name }}' \
+            "${RELEASE_TAG}" \
             ./artifacts/* \
             --draft \
-            --title '${{ github.ref_name }}' \
+            --title "${RELEASE_TAG}" \
             --generate-notes \
             --verify-tag
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          RELEASE_TAG: ${{ github.ref_name }}

.github/workflows/zizmor.yml

@@ -0,0 +1,35 @@
+name: Workflow Security Analysis
+
+on:
+  push:
+    branches: ["main"]
+    paths:
+      - ".github/workflows/_build_release.yml"
+      - ".github/workflows/nightly.yml"
+      - ".github/workflows/release.yml"
+  pull_request:
+    paths:
+      - ".github/workflows/_build_release.yml"
+      - ".github/workflows/nightly.yml"
+      - ".github/workflows/release.yml"
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6
+        with:
+          workspace: >-
+            .github/workflows/_build_release.yml
+            .github/workflows/nightly.yml
+            .github/workflows/release.yml