chore(workflows): add zizmor security gate and harden Actions credential handling

.github/dependabot.yml

@@ -6,6 +6,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -16,6 +18,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -26,6 +30,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -36,6 +42,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -46,6 +54,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15
@@ -56,6 +66,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       prefix: 'chore'   ## prefix maximum string length of 15

.github/workflows/build_docs.yml

@@ -22,6 +22,8 @@ jobs:
     - name: Checkout
       # see https://github.com/actions/checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
     - name: Set up JDK
       # see https://github.com/actions/setup-java
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
@@ -47,6 +49,8 @@ jobs:
     - name: Checkout
       # see https://github.com/actions/checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
     - name: Setup Python Environment
       # see https://github.com/actions/setup-python
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -71,6 +75,8 @@ jobs:
     - name: Checkout
       # see https://github.com/actions/checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
     - name: Generate Schema documentation
       run: ./gen.sh
     - name: Archive Schema documentation

.github/workflows/bundle_2.0_schemas.yml

@@ -21,10 +21,10 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: '20'
 
@@ -40,6 +40,8 @@ jobs:
             ../../../../schema/2.0/cyclonedx-2.0.schema.json
 
       - name: Check for changes and commit
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           BUNDLED_FILE="schema/2.0/cyclonedx-2.0-bundled.schema.json"
 
@@ -54,5 +56,5 @@ jobs:
             git config --local user.email "github-actions[bot]@users.noreply.github.com"
             git config --local user.name "github-actions[bot]"
             git commit -m "chore: update bundled schema [skip ci]"
-            git push
+            git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git"
           fi

.github/workflows/test_java.yml

@@ -24,6 +24,8 @@ jobs:
     - name: Checkout
       # see https://github.com/actions/checkout
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+      with:
+        persist-credentials: false
     - name: Set up JDK
       # see https://github.com/actions/setup-java
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5

.github/workflows/test_js.yml

@@ -27,9 +27,11 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Node.js
         # see https://github.com/actions/setup-node
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: '24.x'
           package-manager-cache: false

.github/workflows/test_php.yml

@@ -27,6 +27,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup PHP
         # see https://github.com/shivammathur/setup-php
         uses: shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f # v2

.github/workflows/test_proto.yml

@@ -27,5 +27,7 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Run test
         run: ./test.sh

.github/workflows/update_spdx_licenses.yml

@@ -26,6 +26,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.ref_name }}
+          persist-credentials: false
       - name: Set up JDK
         # see https://github.com/actions/setup-java
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5
@@ -77,6 +78,7 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           ref: ${{ github.ref_name }}
+          persist-credentials: false
       - name: Switch branch
         id: branch
         run: |
@@ -98,6 +100,8 @@ jobs:
           name: schema-spdx
           path: schema
       - name: Commit and push
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           set -eux
           if git diff --quiet -- 'schema/spdx.*'
@@ -109,7 +113,7 @@ jobs:
           git config user.email 'spdx-license-bumper@bot.local'
           git add -A schema
           git commit -s -m "feat: bump SPDX licenses $SB_VERSION"
-          git push origin "$SB_BRANCH"
+          git push "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPOSITORY}.git" "$SB_BRANCH"
       - name: Pull request
         if: ${{ steps.branch.outputs.existed == 'false' }}
         run: >

.github/workflows/zizmor.yml

@@ -0,0 +1,33 @@
+name: Zizmor
+
+on:
+  pull_request:
+    paths:
+      - '.github/workflows/**'
+      - '.github/dependabot.yml'
+  push:
+    paths:
+      - '.github/workflows/**'
+      - '.github/dependabot.yml'
+  schedule:
+    - cron: '0 0 * * 6'
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Checkout
+        # see https://github.com/actions/checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+      - name: Run zizmor
+        # see https://github.com/zizmorcore/zizmor-action
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3
+        with:
+          advanced-security: false
+          annotations: true