ci: add zizmor static analysis and harden existing workflows

.github/workflows/ci.common.yml

@@ -12,11 +12,15 @@ on:
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node ${{ inputs.node_version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ inputs.node_version }}
           package-manager-cache: false
@@ -33,7 +37,11 @@ jobs:
         run: pnpm install --frozen-lockfile
 
       - name: Build
-        run: pnpm turbo run build --filter=${{ inputs.package_name }}
+        env:
+          PACKAGE_NAME: ${{ inputs.package_name }}
+        run: pnpm turbo run build --filter="$PACKAGE_NAME"
 
       - name: Run Tests
-        run: pnpm turbo run test --filter=${{ inputs.package_name }}
+        env:
+          PACKAGE_NAME: ${{ inputs.package_name }}
+        run: pnpm turbo run test --filter="$PACKAGE_NAME"

.github/workflows/ci.yml

@@ -6,14 +6,20 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   changed-files-job:
     name: Get changed packages
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     outputs:
       packages: ${{ steps.detect.outputs.packages }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Get changed files
         id: changed-files
@@ -71,11 +77,15 @@ jobs:
 
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22.x
           package-manager-cache: false
@@ -96,11 +106,15 @@ jobs:
     # examples depend on the library packages via `workspace:*`, so any
     # library change that breaks an example surfaces here.
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22.x
           package-manager-cache: false
@@ -130,6 +144,8 @@ jobs:
   examples-e2e:
     name: E2E smoke (${{ matrix.shell }})
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -148,7 +164,9 @@ jobs:
             runtime_path: packages/tanstack-router-runtime
             core_path: packages/tanstack-router-core
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Detect relevant changes
         id: changes
@@ -177,7 +195,7 @@ jobs:
 
       - name: Setup Node
         if: steps.changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22.x
           package-manager-cache: false
@@ -197,15 +215,19 @@ jobs:
 
       - name: Install Playwright browsers
         if: steps.changes.outputs.any_changed == 'true'
-        run: pnpm --filter ${{ matrix.shell }} exec playwright install --with-deps chromium
+        env:
+          SHELL_FILTER: ${{ matrix.shell }}
+        run: pnpm --filter "$SHELL_FILTER" exec playwright install --with-deps chromium
 
       - name: Run E2E smoke test
         if: steps.changes.outputs.any_changed == 'true'
-        run: pnpm --filter ${{ matrix.shell }} test:e2e
+        env:
+          SHELL_FILTER: ${{ matrix.shell }}
+        run: pnpm --filter "$SHELL_FILTER" test:e2e
 
       - name: Upload Playwright report on failure
         if: failure() && steps.changes.outputs.any_changed == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           # `actions/upload-artifact` rejects `/` in artifact names, so the
           # matrix may set `shell_artifact` to a slash-free fallback (the
@@ -218,8 +240,12 @@ jobs:
   catalog-e2e:
     name: Catalog E2E
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Detect relevant changes
         id: changes
@@ -237,7 +263,7 @@ jobs:
 
       - name: Setup Node
         if: steps.changes.outputs.any_changed == 'true'
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22.x
           package-manager-cache: false
@@ -265,7 +291,7 @@ jobs:
 
       - name: Upload Playwright report on failure
         if: failure() && steps.changes.outputs.any_changed == 'true'
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: playwright-report-catalog
           path: examples/catalog/playwright-report/
@@ -279,6 +305,6 @@ jobs:
       pull-requests: write
       contents: write
     steps:
-      - uses: fastify/github-action-merge-dependabot@v3
+      - uses: fastify/github-action-merge-dependabot@e820d631adb1d8ab16c3b93e5afe713450884a4a # v3.11.1
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ensure-labels.yml

@@ -12,10 +12,14 @@ on:
       - labeled
       - unlabeled
 
+permissions: {}
+
 jobs:
   ensure_labels:
     name: Ensure PR has proper labeling
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: read
     steps:
       - name: Check one of required labels are set
         uses: docker://agilepathway/pull-request-label-checker:v1.6.65

.github/workflows/publish.yml

@@ -7,6 +7,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 # Prevent overlapping releases if multiple PRs merge close together
 concurrency:
   group: release-main
@@ -32,9 +34,10 @@ jobs:
       bump: ${{ steps.version.outputs.bump }}
       same_version: ${{ steps.version.outputs.same_version }}
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Determine version strategy
         id: version
@@ -69,7 +72,7 @@ jobs:
           fi
 
       - id: filter
-        uses: dorny/paths-filter@v3
+        uses: dorny/paths-filter@d1c1ffe0248fe513906c8e24db8ea791d46f8590 # v3.0.3
         with:
           filters: |
             pkg_core:
@@ -138,6 +141,8 @@ jobs:
 
       - name: Build dynamic matrix
         id: build-matrix
+        env:
+          CHANGED: ${{ steps.filter.outputs.changes }}
         run: |
           # Each entry: filter_key -> dir:npmName
           declare -A PKG_MAP=(
@@ -157,7 +162,6 @@ jobs:
             ["pkg_tr_testing"]="tanstack-router-testing:@tanstack-react-modules/testing"
           )
 
-          CHANGED='${{ steps.filter.outputs.changes }}'
           echo "Changed filters: $CHANGED"
 
           MATRIX="["
@@ -198,7 +202,7 @@ jobs:
 
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
           token: ${{ github.token }}
@@ -213,7 +217,7 @@ jobs:
         run: git pull --ff-only origin main
 
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 24.x
           registry-url: "https://registry.npmjs.org"

.github/workflows/zizmor.yml

@@ -0,0 +1,40 @@
+name: Zizmor
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/actions/**'
+      - '.github/workflows/zizmor.yml'
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Static analysis of GitHub Actions workflows
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
+
+      - name: Run zizmor
+        run: uvx zizmor --format=sarif . > results.sarif
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Upload SARIF results
+        uses: github/codeql-action/upload-sarif@439137e1b50c27ba9e2f9befc93e43091b449c34 # v3.32.0
+        with:
+          sarif_file: results.sarif
+          category: zizmor