Fix zizmor security issues in GitHub Actions workflows

.github/dependabot.yml

@@ -4,22 +4,32 @@ updates:
     directory: /canary-release
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
   - package-ecosystem: github-actions
     directory: /check-cla
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
   - package-ecosystem: github-actions
     directory: /read-yaml
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
   - package-ecosystem: github-actions
     directory: /set-commit-status
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
   - package-ecosystem: pip
     directory: /
     schedule:
       interval: weekly
+    cooldown:
+      default-days: 7
   - package-ecosystem: github-actions
     directory: /.github/workflows
     schedule:
@@ -28,3 +38,5 @@ updates:
       workflows:
         patterns:
           - '*'
+    cooldown:
+      default-days: 7

.github/workflows/cla-trigger.yml

@@ -0,0 +1,35 @@
+name: CLA Trigger
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+
+jobs:
+  save-pr-info:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Save PR metadata
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_AUTHOR: ${{ github.event.pull_request.user.login }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          mkdir -p pr-info
+          echo "${PR_NUMBER}" > pr-info/number
+          echo "${PR_AUTHOR}" > pr-info/author
+          echo "${PR_URL}" > pr-info/url
+          echo "${PR_SHA}" > pr-info/sha
+
+      - name: Upload PR info
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: pr-info
+          path: pr-info/
+          retention-days: 1

.github/workflows/cla.yml

@@ -1,22 +1,61 @@
 name: CLA
 
 on:
+  # Triggered by comment to re-check CLA status
   issue_comment:
     types:
       - created
-  pull_request_target:
+
+  # Triggered after CLA Trigger workflow completes (safer than pull_request_target)
+  workflow_run:
+    workflows: [CLA Trigger]
+    types:
+      - completed
+
+permissions:
+  contents: read
+  pull-requests: write
+  statuses: write
+  actions: read  # Required to download artifacts from workflow_run
 
 jobs:
   check:
     if: >-
       !github.event.repository.fork
       && (
-        github.event.issue.pull_request
-        && github.event.comment.body == '@conda-bot check'
-        || github.event_name == 'pull_request_target'
+        (
+          github.event_name == 'issue_comment'
+          && github.event.issue.pull_request
+          && github.event.comment.body == '@conda-bot check'
+        )
+        || (
+          github.event_name == 'workflow_run'
+          && github.event.workflow_run.conclusion == 'success'
+        )
       )
     runs-on: ubuntu-latest
     steps:
+      # For workflow_run events, download PR info from artifact
+      - name: Download PR info
+        if: github.event_name == 'workflow_run'
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: pr-info
+          path: pr-info/
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set PR context from artifact
+        if: github.event_name == 'workflow_run'
+        id: pr-context
+        run: |
+          {
+            echo "number=$(cat pr-info/number)"
+            echo "author=$(cat pr-info/author)"
+            echo "url=$(cat pr-info/url)"
+            echo "sha=$(cat pr-info/sha)"
+          } >> "$GITHUB_OUTPUT"
+
       - name: Check CLA
         uses: conda/actions/check-cla@f05161c6e6e37a49b17c8e0b436197b53830318a # v25.9.2
         with:
@@ -33,3 +72,9 @@ jobs:
           # Token for opening signee PR in the provided `cla_repo`
           # (`pull_request: write` for fine-grained PAT; `repo` and `workflow` for classic PAT)
           cla_token: ${{ secrets.CLA_FORK_TOKEN }}
+
+          # PR context from workflow_run artifact (if applicable)
+          pr_number: ${{ steps.pr-context.outputs.number }}
+          pr_author: ${{ steps.pr-context.outputs.author }}
+          pr_url: ${{ steps.pr-context.outputs.url }}
+          pr_sha: ${{ steps.pr-context.outputs.sha }}

.github/workflows/issues.yml

@@ -6,6 +6,10 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  contents: read
+  issues: write
+
 env:
   FEEDBACK_LBL: pending::feedback
   SUPPORT_LBL: pending::support

.github/workflows/labels.yml

@@ -15,6 +15,9 @@ on:
         default: false
         type: boolean
 
+permissions:
+  contents: read
+
 jobs:
   sync:
     if: '!github.event.repository.fork'
@@ -24,6 +27,8 @@ jobs:
       LOCAL: .github/labels.yml
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - id: has_local
         uses: andstor/file-existence-action@076e0072799f4942c8bc574a82233e1e4d13e9d6 # v3.0.0

.github/workflows/project.yml

@@ -8,6 +8,9 @@ on:
     types:
       - opened
 
+permissions:
+  contents: read
+
 jobs:
   add_to_project:
     if: '!github.event.repository.fork'

.github/workflows/stale.yml

@@ -95,4 +95,6 @@ jobs:
           exempt-assignees: mingwandroid
 
       - name: Print outputs
-        run: echo ${{ join(steps.stale.outputs.*, ',') }}
+        env:
+          STALE_OUTPUTS: ${{ toJSON(steps.stale.outputs) }}
+        run: echo "${STALE_OUTPUTS}"

.github/workflows/tests.yml

@@ -13,6 +13,9 @@ on:
     # https://crontab.guru/#15_14_*_*_*
     - cron: 15 14 * * *
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -23,6 +26,8 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Cache Pip
         uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
@@ -52,6 +57,8 @@ jobs:
     steps:
       - name: Checkout Source
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Read Remote JSON
         id: json
@@ -80,15 +87,26 @@ jobs:
 
       - name: Run Tests
         shell: python
+        env:
+          JSON_CONTENT: ${{ steps.json.outputs.content }}
+          YAML_CONTENT: ${{ steps.yaml.outputs.content }}
+          JSON_FOO: ${{ fromJSON(steps.json.outputs.content)['foo'] }}
+          YAML_FOO: ${{ fromJSON(steps.yaml.outputs.content)['foo'] }}
         run: |
-          assert '''${{ steps.json.outputs.content }}''' == '''${{ steps.yaml.outputs.content }}'''
-          assert '''${{ fromJSON(steps.json.outputs.content)['foo'] }}''' == '''${{ fromJSON(steps.yaml.outputs.content)['foo'] }}'''
+          import os
+          assert os.environ['JSON_CONTENT'] == os.environ['YAML_CONTENT']
+          assert os.environ['JSON_FOO'] == os.environ['YAML_FOO']
 
   template-files:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Checkout Source
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Template Success
         id: templates-success
@@ -136,6 +154,9 @@ jobs:
     needs: [pytest, read-file, template-files]
     if: '!cancelled()'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - name: Determine Success
         uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe # v1.2.2
@@ -146,6 +167,8 @@ jobs:
       - name: Checkout our source
         if: always() && github.event_name != 'pull_request' && steps.alls-green.outputs.result == 'failure'
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        with:
+          persist-credentials: false
 
       - name: Report failures
         if: always() && github.event_name != 'pull_request' && steps.alls-green.outputs.result == 'failure'

.github/workflows/update.yml

@@ -12,6 +12,11 @@ on:
     types:
       - created
 
+permissions:
+  contents: read
+  pull-requests: write
+  issues: write
+
 jobs:
   update:
     if: >-
@@ -41,14 +46,17 @@ jobs:
       - if: github.event.comment.body == '@conda-bot render'
         name: Configure git origin
         run: |
-          echo REPOSITORY=$(curl --silent ${{ github.event.issue.pull_request.url }} | jq --raw-output '.head.repo.full_name') >> $GITHUB_ENV
-          echo REF=$(curl --silent ${{ github.event.issue.pull_request.url }} | jq --raw-output '.head.ref') >> $GITHUB_ENV
+          echo "REPOSITORY=$(curl --silent "${PR_URL}" | jq --raw-output '.head.repo.full_name')" >> "$GITHUB_ENV"
+          echo "REF=$(curl --silent "${PR_URL}" | jq --raw-output '.head.ref')" >> "$GITHUB_ENV"
+        env:
+          PR_URL: ${{ github.event.issue.pull_request.url }}
 
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: ${{ env.REPOSITORY || github.repository }}
           ref: ${{ env.REF || '' }}
           token: ${{ secrets.SYNC_TOKEN }}
+          persist-credentials: false
 
       - name: Configure git user
         run: |
@@ -73,7 +81,7 @@ jobs:
       - if: github.event.comment.body != '@conda-bot render'
         name: Create fork
         # no-op if the repository is already forked
-        run: echo FORK=$(gh repo fork --clone=false --default-branch-only 2>&1 | awk '{print $1}') >> $GITHUB_ENV
+        run: echo "FORK=$(gh repo fork --clone=false --default-branch-only 2>&1 | awk '{print $1}')" >> "$GITHUB_ENV"
         env:
           GH_TOKEN: ${{ secrets.SYNC_TOKEN }}
 

.pre-commit-config.yaml

@@ -45,6 +45,14 @@ repos:
         files: .*/action.(yml|yaml)$
       - id: check-github-workflows
       - id: check-dependabot
+  - repo: https://github.com/zizmorcore/zizmor-pre-commit
+    rev: v1.20.0
+    hooks:
+      - id: zizmor
+  - repo: https://github.com/rhysd/actionlint
+    rev: v1.7.9
+    hooks:
+      - id: actionlint
   - repo: https://github.com/codespell-project/codespell
     # see setup.cfg
     rev: v2.4.1

canary-release/action.yml

@@ -65,6 +65,13 @@ runs:
       shell: bash -l {0}
       env:
         BINSTAR_API_TOKEN: ${{ inputs.anaconda-org-token }}
+        INPUT_CONDA_BUILD_ARGUMENTS: ${{ inputs.conda-build-arguments }}
+        INPUT_CONDA_BUILD_PATH: ${{ inputs.conda-build-path }}
+        INPUT_SUBDIR: ${{ inputs.subdir }}
+        INPUT_PACKAGE_NAME: ${{ inputs.package-name }}
+        INPUT_UPLOAD: ${{ inputs.upload }}
+        INPUT_ANACONDA_ORG_CHANNEL: ${{ inputs.anaconda-org-channel }}
+        INPUT_ANACONDA_ORG_LABEL: ${{ inputs.anaconda-org-label }}
       run: |
         echo "::group::Setting up environment"
         set -euo pipefail
@@ -89,36 +96,36 @@ runs:
         echo "::endgroup::"
 
         echo "::group::Building package"
-        conda build --croot=./pkgs ${{ inputs.conda-build-arguments }} ${{ inputs.conda-build-path }}
+        conda build --croot=./pkgs ${INPUT_CONDA_BUILD_ARGUMENTS} ${INPUT_CONDA_BUILD_PATH}
         echo "::endgroup::"
 
         echo "::group::Find packages"
         PACKAGES=(
           $(
-            find "./pkgs/${{ inputs.subdir }}" -type f \
+            find "./pkgs/${INPUT_SUBDIR}" -type f \
             \( \
-              -name "${{ inputs.package-name }}-*.tar.bz2" -o \
-              -name "${{ inputs.package-name }}-*.conda" \
+              -name "${INPUT_PACKAGE_NAME}-*.tar.bz2" -o \
+              -name "${INPUT_PACKAGE_NAME}-*.conda" \
             \)
           )
         )
         echo "::endgroup::"
-        if [[ "${{ inputs.upload }}" == "true" ]]; then
+        if [[ "${INPUT_UPLOAD}" == "true" ]]; then
           echo "::group::Uploading package"
           anaconda \
             upload \
             --force \
             --register \
             --no-progress \
-            --user="${{ inputs.anaconda-org-channel }}" \
-            --label="${{ inputs.anaconda-org-label }}" \
+            --user="${INPUT_ANACONDA_ORG_CHANNEL}" \
+            --label="${INPUT_ANACONDA_ORG_LABEL}" \
             "${PACKAGES[@]}"
           echo "Uploaded the following files:"
           basename -a "${PACKAGES[@]}"
           echo "::endgroup::"
 
           echo "Use this command to try out the build:"
-          echo "conda install -c ${{ inputs.anaconda-org-channel }}/label/${{ inputs.anaconda-org-label }} ${{ inputs.package-name }}"
+          echo "conda install -c ${INPUT_ANACONDA_ORG_CHANNEL}/label/${INPUT_ANACONDA_ORG_LABEL} ${INPUT_PACKAGE_NAME}"
         else
           echo "Skipping upload because 'upload != true'."
         fi