DO-1802: Add Yamllinting, actionlinting and zizmor static analysis

.github/actionlint.yml

@@ -0,0 +1,6 @@
+paths:
+  # CST_REPORTING_TOKEN is an org-level secret — not declared in the workflow
+  # but valid at runtime. actionlint cannot see org-level secrets.
+  ".github/workflows/magento-cloud-deploy.yml":
+    ignore:
+      - 'property "cst_reporting_token" is not defined'

.github/actions/command-exists/action.yml

@@ -23,7 +23,7 @@ runs:
     - id: check-script
       shell: bash
       run: |
-        cmd="${{ inputs.command }}"
+        cmd="${INPUTS_COMMAND}"
 
         # Check root package.json scripts
         if jq -e --arg cmd "$cmd" '.scripts[$cmd]' package.json > /dev/null 2>&1; then
@@ -58,7 +58,8 @@ runs:
         if [ -f "pnpm-workspace.yaml" ]; then
           # Extract package paths from YAML list items, stripping optional quotes
           # Matches: "  - packages/*", "  - 'apps/*'", '  - "libs/*"' -> packages/*, apps/*, libs/*
-          pnpm_packages=$(grep -E '^\s*-\s+' pnpm-workspace.yaml | sed "s/.*-\s*['\"]\\{0,1\\}\([^'\"]*\\)['\"]\\{0,1\\}/\1/" 2>/dev/null)
+          pnpm_packages=$(grep -E '^\s*-\s+' pnpm-workspace.yaml \
+            | sed "s/.*-\s*['\"]\\{0,1\\}\([^'\"]*\\)['\"]\\{0,1\\}/\1/" 2>/dev/null)
           for pattern in $pnpm_packages; do
             for pkg_dir in $pattern; do
               if [ -f "$pkg_dir/package.json" ]; then
@@ -72,11 +73,13 @@ runs:
         fi
 
         echo "exists=false" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}
 
     - id: check-nx
       shell: bash
       run: |
-        cmd="${{ inputs.command }}"
+        cmd="${INPUTS_COMMAND}"
 
         # Check Nx targets if this is an Nx workspace
         if [ -f "nx.json" ]; then
@@ -86,4 +89,6 @@ runs:
           fi
         fi
 
-        echo "exists=false" >> $GITHUB_OUTPUT
+        echo "exists=false" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}

.github/actions/run-checks/action.yml

@@ -22,10 +22,10 @@ runs:
       shell: bash
       run: |
         debug=${{ inputs.debug == 'true' && '--verbose' || '' }}
-        pm=${{ inputs.package-manager }}
+        pm=${INPUTS_PACKAGE_MANAGER}
 
         # Parse JSON array of commands
-        readarray -t commands < <(echo '${{ inputs.commands }}' | jq -r '.[]')
+        readarray -t commands < <(echo '${INPUTS_COMMANDS}' | jq -r '.[]')
 
         if [ ${#commands[@]} -gt 0 ]; then
           # Build the full command strings
@@ -39,6 +39,9 @@ runs:
         else
           echo "No commands to run"
         fi
+      env:
+        INPUTS_PACKAGE_MANAGER: ${{ inputs.package-manager }}
+        INPUTS_COMMANDS: ${{ inputs.commands }}
     - id: remove-matchers
       if: always()
       uses: aligent/workflows/.github/actions/node-problem-matchers@main

.github/dependabot.yml

@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7

.github/workflows/aem-sync-to-cloudmanager-repo.yml

@@ -96,11 +96,13 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Cache Maven packages
         if: ${{ !env.ACT }}  # Skip when running with act locally
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -131,11 +133,13 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Cache Maven packages
         if: ${{ !env.ACT }}  # Skip when running with act locally
-        uses: actions/cache@v5
+        uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7
         with:
           path: ~/.m2
           key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }}
@@ -165,9 +169,10 @@ jobs:
 
     steps:
       - name: Checkout code with full history
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |
@@ -193,11 +198,11 @@ jobs:
 
           # Determine branch name
           if [ -n "$REMOTE_BRANCH" ]; then
-            BRANCH="${{ github.ref_name }}:${REMOTE_BRANCH}"
-            echo "📋 Pushing '${{ github.ref_name }}' to Cloud Manager branch '${REMOTE_BRANCH}'"
+            BRANCH="${GITHUB_REF_NAME}:${REMOTE_BRANCH}"
+            echo "📋 Pushing '${GITHUB_REF_NAME}' to Cloud Manager branch '${REMOTE_BRANCH}'"
           else
-            BRANCH="${{ github.ref_name }}"
-            echo "📋 Pushing '${{ github.ref_name }}' to Cloud Manager"
+            BRANCH="${GITHUB_REF_NAME}"
+            echo "📋 Pushing '${GITHUB_REF_NAME}' to Cloud Manager"
           fi
 
           # Push to Cloud Manager
@@ -215,16 +220,16 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY
           echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| **Source Branch** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Source Branch** | ${GITHUB_REF_NAME} |" >> $GITHUB_STEP_SUMMARY
 
           if [ -n "$REMOTE_BRANCH" ]; then
             echo "| **Target Branch** | ${REMOTE_BRANCH} |" >> $GITHUB_STEP_SUMMARY
           else
-            echo "| **Target Branch** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY
+            echo "| **Target Branch** | ${GITHUB_REF_NAME} |" >> $GITHUB_STEP_SUMMARY
           fi
 
           echo "| **Git Commit** | ${{ github.sha }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| **Triggered By** | ${{ github.actor }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Triggered By** | ${GITHUB_ACTOR} |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### ✅ Sync Complete" >> $GITHUB_STEP_SUMMARY
           echo "Your AEM project has been successfully synced to Cloud Manager." >> $GITHUB_STEP_SUMMARY

.github/workflows/aws-cdk.yml

@@ -122,9 +122,10 @@ jobs:
       role-session-name: ${{ steps.resolve-session-name.outputs.role-session-name }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           lfs: ${{ inputs.lfs }}
+          persist-credentials: false
 
       - name: Detect Node.js version
         id: node-version
@@ -158,7 +159,7 @@ jobs:
           fi
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: ${{ steps.node-version.outputs.version }}
 
@@ -181,13 +182,17 @@ jobs:
           echo "✅ Corepack enabled and cache directory created: $CACHE_DIR"
 
       - name: Configure dependency cache
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: ${{ steps.node-version.outputs.version }}
+          # yamllint disable rule:line-length
           cache: ${{ steps.detect-package-manager.outputs.manager == 'yarn-berry' && 'yarn' || (steps.detect-package-manager.outputs.manager == 'yarn-classic' && 'yarn' || steps.detect-package-manager.outputs.manager) }}
+          # yamllint enable rule:line-length
 
       - name: Install safe-chain
-        run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
+        run: |
+          SAFE_CHAIN_URL="https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh"
+          curl -fsSL "$SAFE_CHAIN_URL" | sh -s -- --ci
 
       - name: Install dependencies
         env:
@@ -329,7 +334,9 @@ jobs:
           fi
 
           # Validate that at least one of synth, diff or deploy is true
-          if [ "$INPUT_SYNTH" != "true" ] && [ "$INPUT_DIFF" != "true" ] && [ "$INPUT_DEPLOY" != "true" ]; then
+          if [ "$INPUT_SYNTH" != "true" ] && \
+             [ "$INPUT_DIFF" != "true" ] && \
+             [ "$INPUT_DEPLOY" != "true" ]; then
             echo "❌ Error: At least one of synth, diff, or deploy must be true"
             exit 1
           fi
@@ -392,7 +399,7 @@ jobs:
           echo "✅ node_modules packaged ($(du -h node_modules.tar.gz | cut -f1))"
 
       - name: Upload node_modules artifact
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: node_modules-${{ steps.sanitise.outputs.sanitised-cdk-stack-name }}
           path: node_modules.tar.gz
@@ -411,12 +418,13 @@ jobs:
       deployment-status: ${{ steps.deploy.outputs.status }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           lfs: ${{ inputs.lfs }}
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
         with:
           node-version: ${{ needs.prepare.outputs.node-version }}
 
@@ -434,7 +442,7 @@ jobs:
           echo "✅ Corepack enabled"
 
       - name: Download node_modules artifact
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c
         with:
           name: node_modules-${{ needs.prepare.outputs.sanitised-cdk-stack-name }}
 
@@ -447,7 +455,7 @@ jobs:
 
       - name: Configure AWS credentials (Static)
         if: needs.prepare.outputs.auth-mode == 'static'
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
         with:
           aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -456,7 +464,7 @@ jobs:
 
       - name: Configure AWS credentials (OIDC)
         if: needs.prepare.outputs.auth-mode == 'oidc'
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
         with:
           role-to-assume: ${{ vars.AWS_ROLE_ARN }}
           role-session-name: ${{ needs.prepare.outputs.role-session-name }}
@@ -470,6 +478,7 @@ jobs:
           CFN_EXECUTION_ROLE: ${{ secrets.CFN_EXECUTION_ROLE }}
           AWS_REGION: ${{ inputs.aws-region }}
           EXTRA_ARGUMENTS: ${{ inputs.extra-arguments }}
+          CDK_BOOTSTRAP_CMD: ${{ needs.prepare.outputs.cdk-bootstrap-cmd }}
         run: |
           echo "🥾 Bootstrapping CDK environment..."
 
@@ -478,6 +487,8 @@ jobs:
             verbose="--verbose"
           fi
 
+          BOOTSTRAP_CMD="${CDK_BOOTSTRAP_CMD}"
+
           # Check if using custom command from config or default
           if [ "$BOOTSTRAP_CMD" = "npx cdk bootstrap" ]; then
             # Default command - add AWS-specific arguments
@@ -487,7 +498,7 @@ jobs:
             fi
 
             $BOOTSTRAP_CMD \
-              aws://$(aws sts get-caller-identity --query Account --output text)/$AWS_REGION \
+              aws://$(aws sts get-caller-identity --query Account --output text)/${AWS_REGION} \
               $role_args \
               $verbose
           else
@@ -521,7 +532,7 @@ jobs:
 
       - name: Upload synthesis artifacts
         if: inputs.synth == true
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: cdk-synthesis-${{ needs.prepare.outputs.sanitised-cdk-stack-name }}
           path: cdk.out/
@@ -567,7 +578,7 @@ jobs:
 
       - name: Upload diff analysis
         if: inputs.diff == true
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: deployment-diff-${{ needs.prepare.outputs.sanitised-cdk-stack-name }}
           path: deployment-diff.txt
@@ -611,7 +622,7 @@ jobs:
 
       - name: Upload deployment artifacts
         if: inputs.deploy == true && steps.deploy.outputs.status == 'success'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: deployment-outputs-${{ needs.prepare.outputs.sanitised-cdk-stack-name }}
           path: stack-outputs.json