ci: add zizmor for GitHub Actions security analysis

[bskim45]

Summary

• Pin all actions to SHA in release_docker.yml for supply chain safety
• Add persist-credentials: false to checkout steps
• Create zizmor.yml CI workflow with SARIF upload to GitHub Code Scanning
• Add zizmor pre-commit hook for local security checks

Test plan

• uvx zizmor . passes with no findings
• pre-commit run zizmor --all-files passes

Summary by CodeRabbit

• Chores
  • Pinned CI actions to exact revisions and set checkout credentials handling for more reliable, reproducible builds.
  • Replaced generic action versions with explicit, immutable references across workflows.
• New Features
  • Added a CI security analysis workflow to run automated security checks on push and PRs.
• Development
  • Added pre-commit hooks for GitHub Actions linting and security scanning to local checks.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's CI/CD security posture by integrating Zizmor for comprehensive GitHub Actions security analysis. It introduces measures to improve supply chain safety by pinning action versions and disabling credential persistence, alongside establishing a dedicated CI workflow for code scanning and enabling local security checks via a pre-commit hook.

Highlights

• Supply Chain Safety: Pinned all actions to SHA in release_docker.yml to enhance supply chain security.
• Credential Management: Added persist-credentials: false to checkout steps to prevent unintended credential exposure.
• CI Workflow Integration: Created a new zizmor.yml CI workflow for security analysis, including SARIF upload to GitHub Code Scanning.
• Local Security Checks: Integrated a Zizmor pre-commit hook to enable local security checks before code commits.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• .pre-commit-config.yaml
  • Added the Zizmor pre-commit hook configuration.

Ignored Files

• Ignored by pattern: .github/workflows/** (2)
  • .github/workflows/release_docker.yml
  • .github/workflows/zizmor.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[coderabbitai]

Warning

Rate limit exceeded

@bskim45 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 13 minutes and 4 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 3124c5a1-de19-4805-88c0-1209dcfcd0f4

📥 Commits

Reviewing files that changed from the base of the PR and between 5e36794 and d54d3ce.

📒 Files selected for processing (1)

• .pre-commit-config.yaml

Walkthrough

Updates CI/security tooling: pins multiple actions in the Docker release workflow to commit SHAs and adds persist-credentials handling; adds two new workflows for zizmor security analysis and actionlint; and expands pre-commit configuration to include actionlint and zizmor hooks.

Changes

Cohort / File(s)	Summary
Docker Release Workflow ​.github/workflows/release_docker.yml	Replaced several GitHub Actions references with explicit commit SHAs (checkout, setup-qemu, setup-buildx, login, metadata, build-push). Added persist-credentials: false to checkout. Logical workflow steps unchanged.
Zizmor Security Workflow ​.github/workflows/zizmor.yml	Added new workflow "GitHub Actions Security Analysis" that runs zizmor-action (pinned to a commit) on pushes to main and on pull requests.
Actionlint Workflow ​.github/workflows/actionlint.yml	Added new "GitHub Actions Lint" workflow that runs actionlint (pinned to a commit) on pushes to main and on pull requests; checkout uses persist-credentials: false.
Pre-commit configuration .pre-commit-config.yaml	Added two repos/hooks: rhysd/actionlint at v1.7.11 (actionlint) and zizmorcore/zizmor-pre-commit at v1.23.1 (zizmor) alongside existing hooks.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: add zizmor for GitHub Actions security analysis' directly aligns with the PR's primary objective of adding zizmor for security analysis. However, it incompletely represents the full scope of changes, which also include pinning actions in release_docker.yml, adding persist-credentials handling, introducing actionlint, and adding pre-commit hooks.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch ci/add-zizmor

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request enhances the project's security posture by integrating the zizmor security scanner. The changes include adding a zizmor pre-commit hook and, as described, new GitHub Actions workflows for security analysis. My review of the provided changes includes one recommendation to further harden the supply chain security by pinning the new pre-commit hook to a commit SHA, which is consistent with the goal of pinning other actions mentioned in the pull request description.

[gemini-code-assist]

For improved supply chain security, it's recommended to pin the rev to a specific commit SHA instead of a tag. Tags are mutable and can be moved to point to a different commit, which could introduce a supply chain risk. Since a goal of this PR is to improve security by pinning actions to a SHA, it would be consistent to apply the same practice here. Please replace the tag v1.23.1 with its corresponding full commit SHA.

[Copilot]

Pull request overview

Adds automated GitHub Actions security analysis via zizmor and tightens CI supply-chain security by pinning actions and reducing checkout token persistence.

Changes:

• Add zizmor as a pre-commit hook for local workflow security checks.
• Introduce a zizmor.yml GitHub Actions workflow intended to run zizmor in CI.
• Pin GitHub Actions used in release_docker.yml to SHAs and set persist-credentials: false on checkout.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
.pre-commit-config.yaml	Adds zizmor pre-commit hook for local checks.
.github/workflows/zizmor.yml	New CI workflow to run zizmor with minimal permissions.
.github/workflows/release_docker.yml	Pins actions to SHAs, disables persisted checkout credentials, and adds a zizmor suppression annotation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.