ci: add zizmor workflow security scanner (#3506)

Adds zizmor alongside the actionlint job from #3503. Both now run as
parallel jobs in a single `.github/workflows/workflow-checks.yml`,
triggered on `.github/workflows/**` and `.github/actions/**` changes.

Zizmor is configured with `unpinned-uses: hash-pin` policy via
`.github/zizmor.yml`, so any future unpinned action will fail CI.
Findings upload SARIF to the Security tab alongside CodeQL.

Bulk of the diff is cleanup of the findings zizmor surfaced on first
run. `zizmor --fix=all` handled most of them mechanically; the rest were
judgment calls.

Author: nicktrn

.github/actions/get-image-tag/action.yml

@@ -23,35 +23,37 @@ runs:
       id: get_tag
       shell: bash
       run: |
-        if [[ -n "${{ inputs.tag }}" ]]; then
-          tag="${{ inputs.tag }}"
-        elif [[ "${{ github.ref_type }}" == "tag" ]]; then
-          if [[ "${{ github.ref_name }}" == infra-*-* ]]; then
-            env=$(echo ${{ github.ref_name }} | cut -d- -f2)
-            sha=$(echo ${{ github.sha }} | head -c7)
+        if [[ -n "${INPUTS_TAG}" ]]; then
+          tag="${INPUTS_TAG}"
+        elif [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+          if [[ "${GITHUB_REF_NAME}" == infra-*-* ]]; then
+            env=$(echo ${GITHUB_REF_NAME} | cut -d- -f2)
+            sha=$(echo "${GITHUB_SHA}" | head -c7)
             ts=$(date +%s)
             tag=${env}-${sha}-${ts}
-          elif [[ "${{ github.ref_name }}" == re2-*-* ]]; then
-            env=$(echo ${{ github.ref_name }} | cut -d- -f2)
-            sha=$(echo ${{ github.sha }} | head -c7)
+          elif [[ "${GITHUB_REF_NAME}" == re2-*-* ]]; then
+            env=$(echo ${GITHUB_REF_NAME} | cut -d- -f2)
+            sha=$(echo "${GITHUB_SHA}" | head -c7)
             ts=$(date +%s)
             tag=${env}-${sha}-${ts}
-          elif [[ "${{ github.ref_name }}" == v.docker.* ]]; then
+          elif [[ "${GITHUB_REF_NAME}" == v.docker.* ]]; then
             version="${GITHUB_REF_NAME#v.docker.}"
             tag="v${version}"
-          elif [[ "${{ github.ref_name }}" == build-* ]]; then
+          elif [[ "${GITHUB_REF_NAME}" == build-* ]]; then
             tag="${GITHUB_REF_NAME#build-}"
           else
-            echo "Invalid git tag: ${{ github.ref_name }}"
+            echo "Invalid git tag: ${GITHUB_REF_NAME}"
             exit 1
           fi
-        elif [[ "${{ github.ref_name }}" == "main" ]]; then
+        elif [[ "${GITHUB_REF_NAME}" == "main" ]]; then
           tag="main"
         else
-          echo "Invalid git ref: ${{ github.ref }}"
+          echo "Invalid git ref: ${GITHUB_REF}"
           exit 1
         fi
         echo "tag=${tag}" >> "$GITHUB_OUTPUT"
+      env:
+        INPUTS_TAG: ${{ inputs.tag }}
 
     - name: 🔍 Check for validity
       id: check_validity

.github/workflows/changesets-pr.yml

@@ -25,7 +25,7 @@ jobs:
     if: github.repository == 'triggerdotdev/trigger.dev'
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 # zizmor: ignore[artipacked] changesets/action pushes the release branch; no artifact upload here so no leak path
         with:
           fetch-depth: 0
 

.github/workflows/claude-md-audit.yml

@@ -30,6 +30,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Run Claude Code
         id: claude

.github/workflows/claude.yml

@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

.github/workflows/docs.yml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: 📥 Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 📦 Cache npm
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5

.github/workflows/e2e-webapp.yml

@@ -5,6 +5,11 @@ permissions:
 
 on:
   workflow_call:
+    secrets:
+      DOCKERHUB_USERNAME:
+        required: false
+      DOCKERHUB_TOKEN:
+        required: false
 
 jobs:
   e2eTests:
@@ -44,6 +49,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

.github/workflows/e2e.yml

@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0

.github/workflows/helm-prerelease.yml

@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
@@ -78,6 +80,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
@@ -108,11 +112,11 @@ jobs:
             SHORT_SHA=$(echo "${{ github.event.pull_request.head.sha }}" | cut -c1-7)
             PRERELEASE_VERSION="${BASE_VERSION}-pr${PR_NUMBER}.${SHORT_SHA}"
           elif [[ "${{ github.event_name }}" == "push" ]]; then
-            SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+            SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7)
             PRERELEASE_VERSION="${BASE_VERSION}-main.${SHORT_SHA}"
           else
-            SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
-            REF_SLUG=$(echo "${{ github.ref_name }}" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
+            SHORT_SHA=$(echo "${GITHUB_SHA}" | cut -c1-7)
+            REF_SLUG=$(echo "${GITHUB_REF_NAME}" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
             if [[ -z "$REF_SLUG" ]]; then
               REF_SLUG="manual"
             fi
@@ -123,7 +127,9 @@ jobs:
 
       - name: Update Chart.yaml with prerelease version
         run: |
-          sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" ./hosting/k8s/helm/Chart.yaml
+          sed -i "s/^version:.*/version: ${STEPS_VERSION_OUTPUTS_VERSION}/" ./hosting/k8s/helm/Chart.yaml
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Override appVersion
         if: github.event_name == 'workflow_dispatch' && inputs.app_version != ''
@@ -138,26 +144,30 @@ jobs:
 
       - name: Push Helm Chart to GHCR
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
           CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
 
           # Push to GHCR OCI registry
           helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Write run summary
         run: |
           {
             echo "### 🧭 Helm Chart Prerelease Published"
             echo ""
-            echo "**Version:** \`${{ steps.version.outputs.version }}\`"
+            echo "**Version:** \`${STEPS_VERSION_OUTPUTS_VERSION}\`"
             echo ""
             echo "**Install:**"
             echo '```bash'
             echo "helm upgrade --install trigger \\"
             echo "  oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts/${{ env.CHART_NAME }} \\"
-            echo "  --version \"${{ steps.version.outputs.version }}\""
+            echo "  --version \"${STEPS_VERSION_OUTPUTS_VERSION}\""
             echo '```'
           } >> "$GITHUB_STEP_SUMMARY"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Find existing comment
         if: github.event_name == 'pull_request'

.github/workflows/pr_checks.yml

@@ -15,23 +15,21 @@ concurrency:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   typecheck:
     uses: ./.github/workflows/typecheck.yml
-    secrets: inherit
 
   units:
     uses: ./.github/workflows/unit-tests.yml
-    secrets: inherit
+    secrets:
+      DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
+      DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
 
   e2e:
     uses: ./.github/workflows/e2e.yml
     with:
       package: cli-v3
-    secrets: inherit
 
   sdk-compat:
     uses: ./.github/workflows/sdk-compat.yml
-    secrets: inherit

.github/workflows/publish-webapp.yml

@@ -13,6 +13,9 @@ on:
         type: string
         required: false
         default: ""
+    secrets:
+      SENTRY_AUTH_TOKEN:
+        required: false
 
 jobs:
   publish:
@@ -30,6 +33,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: "#️⃣ Get the image tag"
         id: get_tag
@@ -40,34 +44,40 @@ jobs:
       - name: 🔢 Get the commit hash
         id: get_commit
         run: |
-          echo "sha_short=$(echo ${{ github.sha }} | cut -c1-7)" >> "$GITHUB_OUTPUT"
+          echo "sha_short=$(echo "${GITHUB_SHA}" | cut -c1-7)" >> "$GITHUB_OUTPUT"
 
       - name: 📛 Set the tags
         id: set_tags
         run: |
           ref_without_tag=ghcr.io/triggerdotdev/trigger.dev
-          image_tags=$ref_without_tag:${{ steps.get_tag.outputs.tag }}
+          image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           # if tag is a semver, also tag it as v4
-          if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
+          if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
             # TODO: switch to v4 tag on GA
             image_tags=$image_tags,$ref_without_tag:v4-beta
           fi
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
+        env:
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 📝 Set the build info
         id: set_build_info
         run: |
           {
-            tag="${{ steps.get_tag.outputs.tag }}"
-            if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
+            tag="${STEPS_GET_TAG_OUTPUTS_TAG}"
+            if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
               echo "BUILD_APP_VERSION=${tag}"
             fi
-            echo "BUILD_GIT_SHA=${{ github.sha }}"
-            echo "BUILD_GIT_REF_NAME=${{ github.ref_name }}"
+            echo "BUILD_GIT_SHA=${GITHUB_SHA}"
+            echo "BUILD_GIT_REF_NAME=${GITHUB_REF_NAME}"
             echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)"
           } >> "$GITHUB_OUTPUT"
+        env:
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 🐙 Login to GitHub Container Registry
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0