ci: add zizmor security analysis for GitHub Actions workflows

[kibertoad]

Summary

Adds a new zizmor.yml workflow that runs zizmor — a static analysis tool for GitHub Actions — on every push to main and on every pull request. Findings are emitted as SARIF and uploaded via github/codeql-action/upload-sarif, so issues surface in the repository's Security → Code scanning tab.

What zizmor catches:

• Template injection in run: blocks
• Excessive GITHUB_TOKEN permissions
• persist-credentials: true on actions/checkout when not needed
• Unpinned action references and other supply chain risks
• Cache poisoning and artifact-related pitfalls

The workflow itself follows the patterns zizmor recommends:

• Top-level permissions: {} (deny-by-default) with a narrow per-job grant of security-events: write / contents: read / actions: read for SARIF upload
• persist-credentials: false on the checkout step
• Uses uvx zizmor so the tool version can be pinned later via a lockfile or explicit version

Test plan

• Workflow appears in the Actions tab on this PR
• zizmor job runs to completion and uploads a SARIF artifact
• Any findings show up under Security → Code scanning
• Existing CI (CI, Ensure labels) continues to pass

---

Generated by Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced CI/CD pipeline security with improved permission controls and pinned action versions
  • Added automated security scanning to the release workflow
  • Configured dependency update cooldown periods to reduce notification frequency

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c888aae-6933-4ed2-ab18-3a57fbc6c747

📥 Commits

Reviewing files that changed from the base of the PR and between a36f938 and 177d328.

📒 Files selected for processing (6)

• .github/dependabot.yml
• .github/workflows/ci.common.yml
• .github/workflows/ci.yml
• .github/workflows/ensure-labels.yml
• .github/workflows/publish.yml
• .github/workflows/zizmor.yml

---

📝 Walkthrough

Walkthrough

This PR hardens the CI/CD pipeline through Dependabot configuration updates, explicit permission restrictions and GitHub Actions version pinning across all workflows, refactored environment variable passing in the shared CI workflow, and a new security analysis workflow using zizmor.

Changes

CI/CD Security Hardening

Layer / File(s)	Summary
Dependabot cooldown configuration .github/dependabot.yml	Adds a 7-day cooldown period to both github-actions and npm package ecosystem update groups.
GitHub Actions permissions and version pinning .github/workflows/ci.common.yml, .github/workflows/ci.yml, .github/workflows/ensure-labels.yml, .github/workflows/publish.yml	Global workflow permissions set to empty object with explicit read-only grants at job level; actions/checkout, actions/setup-node, fastify/github-action-merge-dependabot, and dorny/paths-filter pinned to specific commit SHAs across all workflows.
CI workflow environment variable refactoring .github/workflows/ci.common.yml	Build, lint, test, and Docker commands refactored to pass package_name and queue_backend via PACKAGE_NAME and QUEUE_BACKEND environment variables, with --filter and notice log output updated to reference these variables.
New security analysis workflow .github/workflows/zizmor.yml	New workflow added to run zizmor GitHub Actions security analysis on pushes to main and pull requests, with restrictive permissions and pinned action versions enabled for annotation output.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Our workflows now stand guard with strict permissions,
Actions pinned to SHAs, no floating conditions,
Dependabot sleeps seven days between checks,
While zizmor scans for security wrecks,
A hardened CI/CD, safe and true! 🔒

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: adding zizmor security analysis for GitHub Actions workflows via the new zizmor.yml file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/add-zizmor-ci-checks-UXPRS

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.