GHA CI: add checking for GHA workflows

PR #22200.

---------

Co-authored-by: userdocs <16525024+userdocs@users.noreply.github.com>

.github/workflows/ci_file_health.yaml

@@ -12,11 +12,15 @@ jobs:
   ci:
     name: Check
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
-      - name: Install tools
+      - name: Setup python
         uses: actions/setup-python@v5
         with:
           python-version: "*"
@@ -42,3 +46,26 @@ jobs:
           done
           # check diff, ignore "Automatically generated by ..." part
           git diff -I '\.\\".*' --exit-code
+
+      - name: Check GitHub Actions workflow
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          pip install zizmor
+          IGNORE_RULEID='(.ruleId != "template-injection")
+            and (.ruleId != "unpinned-uses")'
+          IGNORE_ID='(.id != "template-injection")
+            and (.id != "unpinned-uses")'
+          zizmor \
+            --format sarif \
+            --pedantic \
+            ./ \
+            | jq "(.runs[].results |= map(select($IGNORE_RULEID)))
+              | (.runs[].tool.driver.rules |= map(select($IGNORE_ID)))" \
+            > "${{ runner.temp }}/zizmor_results.sarif"
+
+      - name: Upload zizmor results
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: zizmor
+          sarif_file: "${{ runner.temp }}/zizmor_results.sarif"

.github/workflows/ci_macos.yaml

@@ -2,8 +2,7 @@ name: CI - macOS
 
 on: [pull_request, push]
 
-permissions:
+permissions: {}
-  actions: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Build
     runs-on: macos-latest
+    permissions:
+      actions: write
 
     strategy:
       fail-fast: false
@@ -28,6 +29,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         uses: Wandalen/wretry.action@v3

.github/workflows/ci_python.yaml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup python (auxiliary scripts)
         uses: actions/setup-python@v5

.github/workflows/ci_ubuntu.yaml

@@ -2,9 +2,7 @@ name: CI - Ubuntu
 
 on: [pull_request, push]
 
-permissions:
+permissions: {}
-  actions: write
-  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -14,6 +12,9 @@ jobs:
   ci:
     name: Build
     runs-on: ubuntu-latest
+    permissions:
+      actions: write
+      security-events: write
 
     strategy:
       fail-fast: false
@@ -30,6 +31,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: |

.github/workflows/ci_webui.yaml

@@ -2,8 +2,7 @@ name: CI - WebUI
 
 on: [pull_request, push]
 
-permissions:
+permissions: {}
-  security-events: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Check
     runs-on: ubuntu-latest
+    permissions:
+      security-events: write
 
     defaults:
       run:
@@ -21,6 +22,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup nodejs
         uses: actions/setup-node@v4

.github/workflows/ci_windows.yaml

@@ -2,8 +2,7 @@ name: CI - Windows
 
 on: [pull_request, push]
 
-permissions:
+permissions: {}
-  actions: write
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
@@ -13,6 +12,8 @@ jobs:
   ci:
     name: Build
     runs-on: windows-latest
+    permissions:
+      actions: write
 
     strategy:
       fail-fast: false
@@ -27,6 +28,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup devcmd
         uses: ilammy/msvc-dev-cmd@v1

.github/workflows/coverity-scan.yaml

@@ -26,6 +26,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: |

.github/workflows/stale_bot.yaml

@@ -4,12 +4,13 @@ on:
   schedule:
     - cron: '0 0 * * *'
 
-permissions:
+permissions: {}
-  pull-requests: write
 
 jobs:
   stale:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Mark and close stale PRs
         uses: actions/stale@v9