Add zizmor workflow

smoshiur1237 · smoshiur1237 · commit 1af4fabd04c1 · 2026-03-11T09:40:20.000+02:00
Signed-off-by: smoshiur1237 &lt;moshiur.rahman@est.tech&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -12,10 +12,12 @@ updates:
   target-branch: main
   groups:
     all-github-actions:
-      patterns: ["*"]
+      patterns: [ "*" ]
   commit-message:
     prefix: ":seedling:"
     include: scope
+  cooldown:
+    default-days: 7
   labels:
   - "area/dependency"
   - "ok-to-test"
@@ -30,20 +32,22 @@ updates:
   target-branch: main
   groups:
     all-go-mod-patch-and-minor:
-      patterns: ["*"]
-      update-types: ["patch", "minor"]
+      patterns: [ "*" ]
+      update-types: [ "patch", "minor" ]
   commit-message:
     prefix: ":seedling:"
     include: scope
   ignore:
   # Ignore controller-runtime major and minor bumps as its upgraded manually.
   - dependency-name: "sigs.k8s.io/controller-runtime"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   # Ignore k8s major and minor bumps and its transitives modules
   - dependency-name: "k8s.io/*"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   - dependency-name: "sigs.k8s.io/controller-tools"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+  cooldown:
+    default-days: 7
   labels:
   - "area/dependency"
   - "ok-to-test"
@@ -58,10 +62,12 @@ updates:
   target-branch: release-0.14
   groups:
     all-github-actions:
-      patterns: ["*"]
+      patterns: [ "*" ]
   commit-message:
     prefix: ":seedling:"
     include: scope
+  cooldown:
+    default-days: 7
   labels:
   - "area/dependency"
   - "ok-to-test"
@@ -76,23 +82,25 @@ updates:
   target-branch: release-0.14
   groups:
     all-go-mod-patch-and-minor:
-      patterns: ["*"]
-      update-types: ["patch", "minor"]
+      patterns: [ "*" ]
+      update-types: [ "patch", "minor" ]
   commit-message:
     prefix: ":seedling:"
     include: scope
   ignore:
   # Ignore CAPI major and minor bumps
   - dependency-name: "sigs.k8s.io/cluster-api*"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   # Ignore controller-runtime major and minor bumps as its upgraded manually.
   - dependency-name: "sigs.k8s.io/controller-runtime"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   # Ignore k8s major and minor bumps and its transitives modules
   - dependency-name: "k8s.io/*"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   - dependency-name: "sigs.k8s.io/controller-tools"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+  cooldown:
+    default-days: 7
   labels:
   - "area/dependency"
   - "ok-to-test"
@@ -107,10 +115,12 @@ updates:
   target-branch: release-0.13
   groups:
     all-github-actions:
-      patterns: ["*"]
+      patterns: [ "*" ]
   commit-message:
     prefix: ":seedling:"
     include: scope
+  cooldown:
+    default-days: 7
   labels:
   - "area/dependency"
   - "ok-to-test"
@@ -125,27 +135,30 @@ updates:
   target-branch: release-0.13
   groups:
     all-go-mod-patch-and-minor:
-      patterns: ["*"]
-      update-types: ["patch", "minor"]
+      patterns: [ "*" ]
+      update-types: [ "patch", "minor" ]
   commit-message:
     prefix: ":seedling:"
     include: scope
   ignore:
   # Ignore CAPI major and minor bumps
   - dependency-name: "sigs.k8s.io/cluster-api*"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   # Ignore controller-runtime major and minor bumps as its upgraded manually.
   - dependency-name: "sigs.k8s.io/controller-runtime"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   # Ignore k8s major and minor bumps and its transitives modules
   - dependency-name: "k8s.io/*"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   - dependency-name: "sigs.k8s.io/controller-tools"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
   # Ignore ORC major and minor bumps to prevent cascading k8s.io and controller-runtime updates
   - dependency-name: "github.com/k-orc/openstack-resource-controller*"
-    update-types: ["version-update:semver-major", "version-update:semver-minor"]
+    update-types: [ "version-update:semver-major", "version-update:semver-minor" ]
+  cooldown:
+    default-days: 7
   labels:
   - "area/dependency"
   - "ok-to-test"
+
 ## release-0.13 branch config ends here
diff --git a/.github/workflows/pr-link-check.yaml b/.github/workflows/pr-link-check.yaml
@@ -30,20 +30,27 @@ jobs:
         git fetch upstream
 
     - name: Checkout base branch
-      run: git checkout "upstream/${{ github.event.pull_request.base.ref }}"
+      env:
+        BASE_REF: ${{ github.event.pull_request.base.ref }}
+      run: git checkout "upstream/${BASE_REF}"
 
     - name: Get list of changed Markdown files
       id: changed-files
+      env:
+        BASE_REF: ${{ github.event.pull_request.base.ref }}
+        HEAD_REF: ${{ github.head_ref }}
       run: |
-        git diff --name-only "upstream/${{ github.event.pull_request.base.ref }}...${{ github.head_ref }}" -- "*.md" > changed-files.txt
+        git diff --name-only "upstream/${BASE_REF}...${HEAD_REF}" -- "*.md" > changed-files.txt
         cat changed-files.txt
         if [[ -s "changed-files.txt" ]]; then
           echo "Changed md files found"
           echo "foundFiles=true" >> "${GITHUB_ENV}"
         fi
 
     - name: Switch to PR branch
-      run: git checkout ${{ github.head_ref }}
+      env:
+        HEAD_REF: ${{ github.head_ref }}
+      run: git checkout "${HEAD_REF}"
 
     - name: Check links in changed files
       if: env.foundFiles == 'true'
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -19,7 +19,7 @@ jobs:
       release_tag: ${{ steps.release-version.outputs.release_version }}
     if: github.repository == 'kubernetes-sigs/cluster-api-provider-openstack'
     steps:
-    - name: Checkout code
+    - name: Checkout code # zizmor: ignore[artipacked]
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
       with:
         fetch-depth: 0
@@ -92,7 +92,7 @@ jobs:
       run: echo "RELEASE_TAG=${RELEASE_TAG}" >> ${GITHUB_ENV}
       env:
         RELEASE_TAG: ${{needs.push_release_tags.outputs.release_tag}}
-    - name: checkout code
+    - name: checkout code # zizmor: ignore[artipacked]
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
       with:
         fetch-depth: 0
@@ -103,6 +103,7 @@ jobs:
       uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
       with:
         go-version: ${{ env.go_version }}
+        cache: false
     - name: generate release artifacts
       run: |
         make release
diff --git a/.github/workflows/update-golangci-lint.yaml b/.github/workflows/update-golangci-lint.yaml
@@ -36,8 +36,10 @@ jobs:
         echo "CURRENT_VERSION=${CURRENT_VERSION}" >> $GITHUB_OUTPUT
     - name: Update Makefile if needed
       if: ${{ steps.check_version.outputs.current_version != steps.get_version.outputs.latest_version }}
+      env:
+        LATEST_VERSION: ${{ steps.get_version.outputs.latest_version }}
       run: |
-        sed -i "s/GOLANGCI_LINT_VERSION ?= .*/GOLANGCI_LINT_VERSION ?= ${{ steps.get_version.outputs.latest_version }}/" hack/tools/Makefile
+        sed -i "s/GOLANGCI_LINT_VERSION ?= .*/GOLANGCI_LINT_VERSION ?= ${LATEST_VERSION}/" hack/tools/Makefile
     - name: Create Pull Request
       if: ${{ steps.check_version.outputs.current_version != steps.get_version.outputs.latest_version }}
       uses: peter-evans/create-pull-request@c0f553fe549906ede9cf27b5156039d195d2ece0 # tag=v8.1.0
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+---
+# Static analysis for GitHub Actions workflows
+# https://docs.zizmor.sh/
+name: zizmor
+
+on:
+  push:
+    branches:
+    - main
+  pull_request:
+    branches:
+    - main
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+    # Upload SARIF to Security tab on push to main
+    - name: Run zizmor (SARIF)
+      if: github.event_name == 'push'
+      uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+    # Block PRs with findings
+    - name: Run zizmor (PR check)
+      if: github.event_name == 'pull_request'
+      uses: zizmorcore/zizmor-action@0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d # v0.5.0
+      with:
+        advanced-security: false
