chore(ci): add zizmor workflow for github actions security analysis

[jdx]

Adds zizmor to audit GitHub Actions workflows for security issues. Runs on push to main and on PRs that change .github/workflows/**. Fails CI on any finding.

🤖 Generated with Claude Code

---

Note

Medium Risk
Moderate risk because it changes GitHub Actions permissions and checkout credential behavior across multiple pipelines, which could break CI/release publishing if any job needs additional scopes or relies on persisted credentials.

Overview
Adds a new zizmor workflow that runs on main pushes and on PRs touching .github/workflows/**, failing CI on workflow security findings.

Hardens existing workflows (test, coverage, docs, publish-cli) by setting workflow-level permissions: {} and scoping job permissions explicitly, disabling actions/checkout credential persistence, and adjusting release steps (use GITHUB_REF_NAME, disable mise-action cache) to reduce token exposure and improve reproducibility.

^{Reviewed by Cursor Bugbot for commit 087e8dd. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[greptile-apps]

Greptile Summary

This PR adds a zizmor GitHub Actions security-audit workflow and hardens all existing CI workflows by applying least-privilege permissions, persist-credentials: false on checkouts, and replacing expression-injection patterns (${{ github.ref_name }}) with safe shell-env references (${GITHUB_REF_NAME}).

• New zizmor.yml: Runs zizmor on PRs that touch .github/workflows/** and on every push to main, failing CI on any finding. Correctly scoped with permissions: {} at the workflow level and contents: read at the job level.
• Permission hardening across all workflows: Workflow-level permissions: {} is set everywhere, with only the minimum required scopes granted per job (e.g., contents: read for build jobs, contents: write for release jobs, pages: write/id-token: write retained on the docs deploy job).
• Credential and caching hygiene: persist-credentials: false added to all actions/checkout calls, and mise-action caching disabled in release/publish jobs to reduce implicit auth surface.

Confidence Score: 5/5

Safe to merge — all permission changes are correctly scoped per-job with no required scopes dropped, and the new zizmor workflow is well-structured.

The docs deploy job retains pages:write and id-token:write at the job level, so GitHub Pages deployment is unaffected. The gh CLI commands in publish-cli.yml use the GITHUB_TOKEN environment variable rather than the git credential helper, so persist-credentials:false does not break any release upload or edit steps. The ${GITHUB_REF_NAME} shell-env substitution is a valid default env var in GitHub Actions runners.

.github/workflows/release-plz.yml — the persist-credentials:false interaction with release-plz's git operations was flagged in a previous review and should be confirmed resolved before merging.

Important Files Changed

Filename	Overview
.github/workflows/zizmor.yml	New zizmor security-audit workflow; correctly scoped to workflow-file changes on PRs and all pushes to main, with minimal permissions and credential hardening.
.github/workflows/docs.yml	Moves workflow-level permissions to per-job scopes; deploy job retains required pages:write and id-token:write, build job correctly limited to contents:read.
.github/workflows/publish-cli.yml	Scopes contents:write to individual jobs, disables mise caching, adds persist-credentials:false, and replaces expression-injection pattern with shell-env references for GITHUB_REF_NAME.
.github/workflows/release-plz.yml	Adds persist-credentials:false and disables mise caching; potential git-push breakage for release-plz was already flagged in a previous review thread.
.github/workflows/test.yml	Adds workflow-level permissions:{} with contents:read at job level and persist-credentials:false on checkout; straightforward hardening with no functional change.
.github/workflows/coverage.yml	Adds permissions:{} at workflow level, contents:read at job level, persist-credentials:false on checkout, and a zizmor ignore suppression for taiki-e/install-action's tag-only commit ref.

_{Reviews (6): Last reviewed commit: "fix(ci): quote "${GITHUB_REF_NAME}" in g..." | Re-trigger Greptile}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.94%. Comparing base (4669413) to head (087e8dd).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #633   +/-   ##
=======================================
  Coverage   78.94%   78.94%           
=======================================
  Files          49       49           
  Lines        7284     7284           
  Branches     7284     7284           
=======================================
  Hits         5750     5750           
  Misses       1147     1147           
  Partials      387      387           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[cursor]

persist-credentials: false breaks git push in release workflow

High Severity

Adding persist-credentials: false to the checkout step removes the git credentials that the tasks/release-plz script relies on for git push --tags and git push origin release --force. The token parameter (MY_RELEASE_PLEASE_TOKEN) was specifically passed to the checkout action to persist auth for these downstream git operations. With persist-credentials: false, those push commands will fail with authentication errors, breaking the entire release automation.

 

^{Reviewed by Cursor Bugbot for commit 7485f8e. Configure here.}

[greptile-apps]

persist-credentials: false may break git push in release-plz

actions/checkout is given token: ${{ secrets.MY_RELEASE_PLEASE_TOKEN }} to fetch, but persist-credentials: false prevents that token from being stored in the git credential helper. If the release-plz CLI relies on the system git credential helper (rather than injecting the token directly into remote URLs via its own git2 call), any git push it performs will fail with an auth error. Verify that release-plz does not depend on the credential helper before landing this change.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit b7e029d. Configure here.}