From a5cbd3f3900b87dd319d8776a30937a3a0cf07c4 Mon Sep 17 00:00:00 2001
From: Miroslav Vadkerti <mvadkert@redhat.com>
Date: Fri, 10 Apr 2026 14:38:16 +0200
Subject: [PATCH 1/2] ci: add `zizmor` pre-commit hook and harden GitHub
 Actions workflows

Add `zizmor` (GitHub Actions security linter) as a pre-commit hook to
catch workflow security issues during development.

Pin all GitHub Actions and pre-commit hooks to commit SHAs for supply
chain security. Add `persist-credentials: false` to `actions/checkout`
steps to prevent credential leakage through artifacts.

Suppress `unpinned-images` for the Testing Farm container (we always
want latest) and `secrets-outside-env` (overkill for this repo).

Assisted-by: Claude Code
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
 .github/workflows/container.yml         |  6 +++---
 .github/workflows/container.yml.j2      |  6 +++---
 .github/workflows/mkdocs.yml            |  8 +++++---
 .github/workflows/refresh-build-fmf.yml |  8 +++++---
 .pre-commit-config.yaml                 | 15 ++++++++++-----
 5 files changed, 26 insertions(+), 17 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index e9ce092..c62b1bc 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -31,7 +31,7 @@ jobs:
             plan: /tmt/build/rawhide
 
     container:
-      image: quay.io/testing-farm/cli:latest
+      image: quay.io/testing-farm/cli:latest  # zizmor: ignore[unpinned-images]
 
     steps:
       - name: Compute image tag
@@ -45,8 +45,8 @@ jobs:
 
       - name: Schedule build via Testing Farm
         env:
-          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
-          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}  # zizmor: ignore[secrets-outside-env]
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}  # zizmor: ignore[secrets-outside-env]
           REPO_OWNER: ${{ github.repository_owner }}
           GIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
           TARGET_IMAGE: ghcr.io/thrix/nix-toolbox:${{ steps.tag.outputs.value }}
diff --git a/.github/workflows/container.yml.j2 b/.github/workflows/container.yml.j2
index 83b69bb..59df0cb 100644
--- a/.github/workflows/container.yml.j2
+++ b/.github/workflows/container.yml.j2
@@ -29,7 +29,7 @@ jobs:
             plan: /tmt/build/rawhide
 {% raw %}
     container:
-      image: quay.io/testing-farm/cli:latest
+      image: quay.io/testing-farm/cli:latest  # zizmor: ignore[unpinned-images]
 
     steps:
       - name: Compute image tag
@@ -43,8 +43,8 @@ jobs:
 
       - name: Schedule build via Testing Farm
         env:
-          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
-          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
+          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}  # zizmor: ignore[secrets-outside-env]
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}  # zizmor: ignore[secrets-outside-env]
           REPO_OWNER: ${{ github.repository_owner }}
           GIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
           TARGET_IMAGE: ghcr.io/thrix/nix-toolbox:${{ steps.tag.outputs.value }}
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
index ff6e1a6..afc475a 100644
--- a/.github/workflows/mkdocs.yml
+++ b/.github/workflows/mkdocs.yml
@@ -17,10 +17,12 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6
         with:
           python-version: '3.14'
 
@@ -44,7 +46,7 @@ jobs:
           fi
 
       - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@v4
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e  # v4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./site
diff --git a/.github/workflows/refresh-build-fmf.yml b/.github/workflows/refresh-build-fmf.yml
index a0c3208..d29cc34 100644
--- a/.github/workflows/refresh-build-fmf.yml
+++ b/.github/workflows/refresh-build-fmf.yml
@@ -16,10 +16,12 @@ jobs:
 
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
         with:
           python-version: '3.13'
 
@@ -33,7 +35,7 @@ jobs:
         run: make generate/build-fmf
 
       - name: Create pull request if changed
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@22a9089034f40e5a961c8808d113e2c98fb63676  # v7
         with:
           commit-message: |
             ci: regenerate configs and docs for current Fedora releases
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 420106a..9113b0e 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -1,12 +1,12 @@
 ---
 repos:
   - repo: https://github.com/shellcheck-py/shellcheck-py
-    rev: v0.11.0.1
+    rev: 745eface02aef23e168a8afb6b5737818efbea95  # v0.11.0.1
     hooks:
       - id: shellcheck
 
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v6.0.0
+    rev: 3e8a8703264a2f4a69428a0aa4dcb512790b2c8c  # v6.0.0
     hooks:
       - id: check-added-large-files
       - id: check-ast
@@ -29,12 +29,12 @@ repos:
       - id: trailing-whitespace
 
   - repo: https://github.com/gitleaks/gitleaks
-    rev: v8.30.1
+    rev: 83d9cd684c87d95d656c1458ef04895a7f1cbd8e  # v8.30.1
     hooks:
       - id: gitleaks
 
   - repo: https://github.com/igorshubovych/markdownlint-cli
-    rev: v0.48.0
+    rev: e72a3ca1632f0b11a07d171449fe447a7ff6795e  # v0.48.0
     hooks:
       - id: markdownlint
         args:
@@ -47,6 +47,11 @@ repos:
           - sentences-per-line
 
   - repo: https://github.com/codespell-project/codespell
-    rev: v2.4.2
+    rev: 2ccb47ff45ad361a21071a7eedda4c37e6ae8c5a  # v2.4.2
     hooks:
       - id: codespell
+
+  - repo: https://github.com/woodruffw/zizmor-pre-commit
+    rev: ea2eb407b4cbce87cf0d502f36578950494f5ac9  # v1.23.1
+    hooks:
+      - id: zizmor

From d5deb4796fff63c43d99b76f70f17d2db8dd15e2 Mon Sep 17 00:00:00 2001
From: Miroslav Vadkerti <mvadkert@redhat.com>
Date: Fri, 10 Apr 2026 20:19:28 +0200
Subject: [PATCH 2/2] ci: use GitHub environment for secrets in container build
 workflow

Add `environment: build` to the container build job so secrets are
scoped to a dedicated GitHub environment instead of being accessible
repo-wide. This addresses the `secrets-outside-env` zizmor finding
properly rather than suppressing it.

Also expand the `unpinned-images` suppression comment with rationale.

Assisted-by: Claude Code
Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
 .github/workflows/container.yml    | 7 +++++--
 .github/workflows/container.yml.j2 | 7 +++++--
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/container.yml b/.github/workflows/container.yml
index c62b1bc..4ebc7e4 100644
--- a/.github/workflows/container.yml
+++ b/.github/workflows/container.yml
@@ -15,6 +15,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    environment: build
+
     permissions:
       packages: write
 
@@ -31,6 +33,7 @@ jobs:
             plan: /tmt/build/rawhide
 
     container:
+      # Always use latest Testing Farm CLI to get newest features and fixes
       image: quay.io/testing-farm/cli:latest  # zizmor: ignore[unpinned-images]
 
     steps:
@@ -45,8 +48,8 @@ jobs:
 
       - name: Schedule build via Testing Farm
         env:
-          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}  # zizmor: ignore[secrets-outside-env]
-          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}  # zizmor: ignore[secrets-outside-env]
+          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
           REPO_OWNER: ${{ github.repository_owner }}
           GIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
           TARGET_IMAGE: ghcr.io/thrix/nix-toolbox:${{ steps.tag.outputs.value }}
diff --git a/.github/workflows/container.yml.j2 b/.github/workflows/container.yml.j2
index 59df0cb..e346d9f 100644
--- a/.github/workflows/container.yml.j2
+++ b/.github/workflows/container.yml.j2
@@ -15,6 +15,8 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    environment: build
+
     permissions:
       packages: write
 
@@ -29,6 +31,7 @@ jobs:
             plan: /tmt/build/rawhide
 {% raw %}
     container:
+      # Always use latest Testing Farm CLI to get newest features and fixes
       image: quay.io/testing-farm/cli:latest  # zizmor: ignore[unpinned-images]
 
     steps:
@@ -43,8 +46,8 @@ jobs:
 
       - name: Schedule build via Testing Farm
         env:
-          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}  # zizmor: ignore[secrets-outside-env]
-          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}  # zizmor: ignore[secrets-outside-env]
+          TESTING_FARM_API_TOKEN: ${{ secrets.TESTING_FARM_API_TOKEN }}
+          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
           REPO_OWNER: ${{ github.repository_owner }}
           GIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }}
           TARGET_IMAGE: ghcr.io/thrix/nix-toolbox:${{ steps.tag.outputs.value }}