From c8292302ad6a066d32d873efca56c7b43a58e5f3 Mon Sep 17 00:00:00 2001
From: Ameer Ghani <inahga@letsencrypt.org>
Date: Tue, 2 Jun 2026 20:56:11 +0000
Subject: [PATCH] ci: use zizmor and remediate findings

---
 .github/workflows/test.yml   | 10 +++++++---
 .github/workflows/zizmor.yml | 36 ++++++++++++++++++++++++++++++++++++
 2 files changed, 43 insertions(+), 3 deletions(-)
 create mode 100644 .github/workflows/zizmor.yml

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index b42e24f..33ed85b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -9,15 +9,19 @@ on:
       - '**'
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   test:
     runs-on: ubuntu-24.04
     steps:
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      with:
+        persist-credentials: false
 
     - name: Set up Go
-      uses: actions/setup-go@v5
+      uses: actions/setup-go@40f1582b2485089dde7abd97c1529aa768e1baff # v5.6.0
       with:
         go-version-file: 'go.mod'
 
@@ -28,7 +32,7 @@ jobs:
       run: go test -v ./...
 
     - name: Lint
-      uses: golangci/golangci-lint-action@v8
+      uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9 # v8.0.0
       with:
         version: v2.3.0
 
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 0000000..2d981a0
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,36 @@
+name:  Lint GitHub Actions
+
+on:
+  push:
+    branches:
+      - main
+      - release-branch-*
+  pull_request:
+    branches:
+      - '**'
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-24.04
+
+    env:
+      ZIZMOR_IMAGE: ghcr.io/zizmorcore/zizmor:1.25.2@sha256:14ea7f5cc7c67933394a35b5a38a277397818d232602635edb2010b313afb110
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          docker run \
+            --volume "${GITHUB_WORKSPACE}:/src:ro" \
+            --workdir "/src" \
+            --env "GH_TOKEN" \
+            "$ZIZMOR_IMAGE" -- /src