Harden CI workflows with Zizmor and SHA version pinning (#230)

* ci: Pin action versions to commit SHAs

* ci: Use runner-provided `rustup` over external action

* ci: Configure granular workflow permissions

* ci: Add zizmor workflow

* ci: Format workflows

* ci: Correct go version in `tests.yaml`

* ci: Remove explicit permissions since repo is public

Author: kaylendog

.github/workflows/single_sdk_tests.yml

@@ -4,7 +4,9 @@
 # in the input. It runs single SDK only tests (e.g all JS clients _or_ all Rust clients, not a mixture).
 name: "Complement Crypto"
 run-name: "Running Complement-Crypto"
-permissions: read-all
+
+permissions: {}
+
 on:
   workflow_call:
     inputs:
@@ -32,7 +34,9 @@ jobs:
       # At this stage we don't know which repo we have just checked out. We will reference this repo
       # if the workflow uses '.'
       - name: Checkout repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Resolve branches
         shell: bash
         # these env vars will be modified and used in subsequent steps
@@ -104,18 +108,18 @@ jobs:
           docker pull mitmproxy/mitmproxy:10.1.5
           docker tag ghcr.io/matrix-org/synapse-service:v1.117.0 homeserver:latest
       - name: Setup | Go
-        uses: actions/setup-go@v6
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
           go-version: "1.25"
       - name: "Install Complement Dependencies"
         shell: bash
         run: |
-          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
+          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0
 
       # JS SDK only steps
       - name: Setup | Node.js LTS
         if: ${{ inputs.use_js_sdk != '' }}
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "lts/*"
       - name: "Install JS SDK"
@@ -128,9 +132,9 @@ jobs:
       # which we then pass to rebuild_rust_sdk.sh
       - name: Setup | Rust
         if: ${{ inputs.use_rust_sdk != '' }}
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: stable
+        run: |
+          rustup toolchain install stable
+          rustup default stable
       - name: "Download Rust SDK" # no need to download rust SDK if we are using the local checkout.
         if: ${{ inputs.use_rust_sdk != '' && inputs.use_rust_sdk != '.'}}
         run: |
@@ -182,7 +186,7 @@ jobs:
           RUST_SDK_LIB_RELATIVE: ${{ inputs.use_rust_sdk == '.' &&  '/target/debug' || '/complement-crypto/rust-sdk/target/debug'}}
 
       - name: Upload logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ failure() }}
         with:
           name: Logs - ${{ inputs.use_js_sdk != '' && 'jssdk' || 'rust'}}

.github/workflows/tests.yaml

@@ -1,64 +1,68 @@
 name: Tests
 
+permissions: {}
+
 on:
   push:
-    branches: [ 'main' ]
+    branches: ["main"]
   pull_request:
   workflow_dispatch:
 
 jobs:
   check-signoff:
     if: "github.event_name == 'pull_request'"
-    uses: "matrix-org/backend-meta/.github/workflows/sign-off.yml@v2"
+    uses: matrix-org/backend-meta/.github/workflows/sign-off.yml@18beaf3c8e536108bd04d18e6c3dc40ba3931e28 # v2
 
   js-latest-main:
     name: Tests (JS only, latest)
     uses: ./.github/workflows/single_sdk_tests.yml
     with:
-      use_js_sdk: 'MATCHING_BRANCH'
-      use_complement_crypto: '.'
+      use_js_sdk: "MATCHING_BRANCH"
+      use_complement_crypto: "."
 
   rust-latest-main:
     name: Tests (Rust only, latest)
     uses: ./.github/workflows/single_sdk_tests.yml
     with:
-      use_rust_sdk: 'MATCHING_BRANCH'
-      use_complement_crypto: '.'
+      use_rust_sdk: "MATCHING_BRANCH"
+      use_complement_crypto: "."
 
   complement:
     name: Tests
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3 # Checkout crypto tests
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       # Install Node, Go and Rust, along with gotestfmt
       - name: Setup | Node.js LTS
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: "lts/*"
-          cache: 'yarn'
+          cache: "yarn"
           cache-dependency-path: "internal/api/js/js-sdk/yarn.lock"
       - name: Setup | Go
-        uses: actions/setup-go@v4
+        uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
         with:
-          go-version: '1.21'
+          go-version: "1.25"
       - name: Setup | Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: stable
+        run: |
+          rustup toolchain install stable
+          rustup default stable
       - name: Checkout matrix-rust-sdk
         run: |
           BRANCH=$(./.github/workflows/resolve_branch.sh matrix-org/matrix-rust-sdk)
           mkdir rust-sdk
           wget -O archive.tar.gz "https://github.com/matrix-org/matrix-rust-sdk/archive/$BRANCH.tar.gz"
           zcat < archive.tar.gz | git get-tar-commit-id # useful for debugging
           tar -xz --strip-components=1 -C rust-sdk < archive.tar.gz
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@779680da715d629ac1d338a641029a2f4372abb5 # v2.8.2
         with:
           workspaces: "rust-sdk"
       - name: "Install Complement Dependencies"
         run: |
-          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@latest
+          go install -v github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@4c97682ab858d6bbd26fc020e255cb339c9c8119 # v2.5.0
 
       # Install whatever version of the JS SDK is in package.json
       - name: Build JS SDK
@@ -81,38 +85,38 @@ jobs:
           docker tag ghcr.io/matrix-org/synapse-service:v1.117.0 homeserver:latest
 
       # Build homeserver image, honouring branch names
-      #- name: "Checkout corresponding Synapse branch" 
-        #shell: bash 
-        #run: |  
-          #mkdir -p homeserver 
-#  
-          ## Attempt to use the version of the homeserver which best matches the 
-          ## current build.  
-          ## 
-          ## 1. If we are not on complement's default branch, check if there's a 
-          ##    similarly named branch (GITHUB_HEAD_REF for pull requests, 
-          ##    otherwise GITHUB_REF). 
-          ## 2. otherwise, use the default homeserver branch ("HEAD")  
-#  
-          #for BRANCH_NAME in "$GITHUB_HEAD_REF" "${GITHUB_REF#refs/heads/}" "HEAD"; do  
-            ## Skip empty branch names, merge commits, and our default branch. 
-            ## (If we are on complement's default branch, we want to fall through to the HS's default branch 
-            ## rather than using the HS's 'master'/'main').  
-            #case "$BRANCH_NAME" in  
-              #"" | refs/pull/* | main | master) 
-                #continue  
-                #;;  
-            #esac  
-            #(wget -O - "https://github.com/matrix-org/synapse/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C homeserver) && break 
-          #done  
-        ## Build the base Synapse dockerfile and then build a Complement-specific image from that base.  
-      #- run: |  
-          #docker build -t matrixdotorg/synapse:latest -f docker/Dockerfile .  
-          #docker build -t matrixdotorg/synapse-workers:latest -f docker/Dockerfile-workers .  
-          #docker build -t homeserver -f docker/complement/Dockerfile docker/complement  
-        #working-directory: homeserver 
-        #env:  
-          #DOCKER_BUILDKIT: 1  
+      #- name: "Checkout corresponding Synapse branch"
+      #shell: bash
+      #run: |
+      #mkdir -p homeserver
+      #
+      ## Attempt to use the version of the homeserver which best matches the
+      ## current build.
+      ##
+      ## 1. If we are not on complement's default branch, check if there's a
+      ##    similarly named branch (GITHUB_HEAD_REF for pull requests,
+      ##    otherwise GITHUB_REF).
+      ## 2. otherwise, use the default homeserver branch ("HEAD")
+      #
+      #for BRANCH_NAME in "$GITHUB_HEAD_REF" "${GITHUB_REF#refs/heads/}" "HEAD"; do
+      ## Skip empty branch names, merge commits, and our default branch.
+      ## (If we are on complement's default branch, we want to fall through to the HS's default branch
+      ## rather than using the HS's 'master'/'main').
+      #case "$BRANCH_NAME" in
+      #"" | refs/pull/* | main | master)
+      #continue
+      #;;
+      #esac
+      #(wget -O - "https://github.com/matrix-org/synapse/archive/$BRANCH_NAME.tar.gz" | tar -xz --strip-components=1 -C homeserver) && break
+      #done
+      ## Build the base Synapse dockerfile and then build a Complement-specific image from that base.
+      #- run: |
+      #docker build -t matrixdotorg/synapse:latest -f docker/Dockerfile .
+      #docker build -t matrixdotorg/synapse-workers:latest -f docker/Dockerfile-workers .
+      #docker build -t homeserver -f docker/complement/Dockerfile docker/complement
+      #working-directory: homeserver
+      #env:
+      #DOCKER_BUILDKIT: 1
       - name: "Run Complement-Crypto unit tests"
         env:
           COMPLEMENT_BASE_IMAGE: homeserver
@@ -161,10 +165,10 @@ jobs:
           DOCKER_BUILDKIT: 1
 
       - name: Upload logs
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ always() }} # do this even if the tests fail
         with:
           name: Logs - ${{ job.status }}
           path: |
-              ./**/logs/*
-              ./**/mitm.dump
+            ./**/logs/*
+            ./**/mitm.dump

.github/workflows/zizmor.yml

@@ -0,0 +1,25 @@
+name: Analyse workflows with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2