Merge pull request #33 from bci-oss/32-add-zizmor-action-step

Add zizmor.yml for SAST

Author: Yauhenikapl

.github/workflows/pull-request-check.yml

@@ -2,23 +2,27 @@ name: Check Pull Request
 on:
   pull_request:
     branches: [ main ]
+permissions: {}
 jobs:
   build-test:
+    permissions:
+      contents: read
+      pull-requests: read
     runs-on: ubuntu-latest
     name: "Build"
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e #v5.1.0
       with:
         distribution: 'temurin'
         java-version: '17'
 
     - name: Cache Maven packages
-      uses: actions/cache@v3
+      uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb #v5.0.1
       with:
         path: ~/.m2/repository
         key: maven-${{ hashFiles('**/pom.xml') }}

.github/workflows/release.yml

@@ -5,17 +5,25 @@ on:
       release_version:
         description: 'Version number of the release'
         required: true
+env:
+  RELEASE_VERSION: ${{ github.event.inputs.release_version }}
+permissions: {}
 jobs:
   build-and-release:
+    permissions:
+      contents: write
+      actions: read
+      issues: write
+      pull-requests: write
     runs-on: ubuntu-latest
     name: "Build and release"
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
 
     - name: Set up JDK 17
-      uses: actions/setup-java@v4
+      uses: actions/setup-java@f2beeb24e141e01a676f977032f5a29d81c9e27e #v5.1.0
       with:
         distribution: 'temurin'
         java-version: '17'
@@ -29,7 +37,7 @@ jobs:
     - name: Build artifact and release to Maven Central
       run: |
         set -x
-        ./mvnw -B versions:set -DnewVersion=${{ github.event.inputs.release_version }}
+        ./mvnw -B versions:set -DnewVersion=${RELEASE_VERSION}
         ./mvnw -B versions:commit
         ./mvnw -B -U clean deploy -Psign,release-build
       env:
@@ -42,20 +50,20 @@ jobs:
     # - Create Github release
 
     - name: Commit version changes and push to upstream repository
-      uses: stefanzweifel/git-auto-commit-action@v4
+      uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
       with:
          branch: main
          commit_user_name: github-actions
          commit_user_email: github-actions@github.com
          commit_author: Actions <actions@github.com>
-         commit_message: "Set to version ${{ github.event.inputs.release_version }}"
+         commit_message: "Set to version ${{ env.RELEASE_VERSION }}"
          file_pattern: 'pom.xml'
 
     - name: Create GitHub release
-      uses: softprops/action-gh-release@v1
+      uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
       with:
         body: "Create Github release"
-        tag_name: v${{ github.event.inputs.release_version }}
+        tag_name: v${{ env.RELEASE_VERSION }}
         target_commitish: main
         draft: false
         prerelease: false
@@ -69,7 +77,7 @@ jobs:
         ./mvnw -B versions:commit
 
     - name: Commit version changes and push to upstream repository
-      uses: stefanzweifel/git-auto-commit-action@v4
+      uses: stefanzweifel/git-auto-commit-action@04702edda442b2e678b25b537cec683a1493fcb9 # v7.1.0
       with:
          branch: main
          commit_user_name: github-actions

.github/workflows/zizmor.yml

@@ -0,0 +1,33 @@
+#
+# Copyright (c) 2026 Robert Bosch Manufacturing Solutions GmbH, Germany. All rights reserved.
+#
+name: GitHub Actions SAST (zizmor)
+
+on:
+  pull_request:
+    branches: [ main ]
+  push:
+    branches: [ main ]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor (PR annotations)
+        uses: zizmorcore/zizmor-action@e639db99335bc9038abc0e066dfcd72e23d26fb4 # v0.3.0
+        with:
+          advanced-security: false
+          version: v1.22.0
+          annotations: true
+          persona: auditor
+          min-severity: medium