Add linter for GitHub actions

[ArBridgeman]

Summary

GitHub actions might introduce vulnerabilities into projects. Currently our linter Sonar does not validate actions.

We should add a linter for GitHub actions, e.g. https://github.com/zizmorcore/zizmor

zizmor can be installed with poetry. We could use the command directly or build a nox session around it.
probably would be helpful if we allow projects eventually to use the BaseConfig option for this stuff too, add to the checks.yml, but we first need to resolve the high errors or it would be annoying.

Possible Points

• resolve zizmor errors & create tracking issues for more tedious ones
• put zizmor in a nox session
• put zizmor in checks.yml -> add documentation for setup
• ⚠️ Figure out if zizmor can check templates & how - seems to only do workflows

[ArBridgeman]

❯ poetry run -- zizmor --min-severity high ./
 INFO zizmor: 🌈 zizmor v1.24.1
 INFO audit: zizmor: 🌈 completed ./.github/actions/python-environment/action.yml
 INFO audit: zizmor: 🌈 completed ./.github/actions/security-issues/action.yml
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/build-and-publish.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/cd.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/check-release-tag.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/checks.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/gh-pages.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/matrix-all.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/matrix-exasol.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/matrix-python.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/merge-gate.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/pr-merge.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/report.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/slow-checks.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/test-python-environment.yml
 INFO audit: zizmor: 🌈 completed ./exasol/toolbox/templates/github/dependabot.yml
error[template-injection]: code injection via template expansion
  --> ./.github/actions/python-environment/action.yml:48:29
   |
47 |       run: |
   |       --- this run block
48 |         POETRY_VERSION="${{ inputs.poetry-version }}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py"
   |                             ^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/python-environment/action.yml:80:28
   |
79 |       run: |
   |       --- this run block
80 |         EXTRAS=$(echo "${{ inputs.extras }}" | tr -d ' ')
   |                            ^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/python-environment/action.yml:92:49
   |
90 |       run: |
   |       --- this run block
91 |         poetry run python --version
92 |         poetry run python --version | grep "${{ inputs.python-version }}"
   |                                                 ^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/actions/python-environment/action.yml:37:13
   |
37 |       uses: actions/setup-python@v6
   |             ^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/actions/python-environment/action.yml:71:13
   |
71 |       uses: actions/cache@v5
   |             ^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[github-env]: dangerous use of environment file
  --> ./.github/actions/python-environment/action.yml:47:7
   |
47 | /       run: |
48 | |         POETRY_VERSION="${{ inputs.poetry-version }}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py"
49 | |         echo "$HOME/.local/bin" >> $GITHUB_PATH
   | |_______________________________________________^ write to GITHUB_PATH may allow code execution
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
  --> ./.github/actions/security-issues/action.yml:47:13
   |
46 |       run: |
   |       --- this run block
47 |         ${{ inputs.command }} | tee input
   |             ^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/security-issues/action.yml:52:37
   |
51 |       run: |
   |       --- this run block
52 |         tbx security cve convert ${{inputs.format}} < input | tee cves.jsonl
   |                                     ^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/security-issues/action.yml:67:48
   |
66 |       run: |
   |       --- this run block
67 |         tbx security cve create --project "${{ inputs.project }}" < issues.jsonl | tee created.jsonl
   |                                                ^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/actions/security-issues/action.yml:35:13
   |
35 |       uses: actions/setup-python@v6
   |             ^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/check-release-tag.yml:28:50
   |
28 |         run: "[[ `poetry version --short` == ${{ github.ref_name }} ]]"
   |         --- this run block                       ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/checks.yml:225:15
    |
225 |         uses: actions/checkout@v6
    |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/test-python-environment.yml:21:21
   |
19 |         run: |
   |         --- this run block
20 |           # Always run if the current branch is main
21 |           if [ "${{ github.ref_name }}" == "main" ]; then
   |                     ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/test-python-environment.yml:27:26
   |
19 |         run: |
   |         --- this run block
...
27 |             BASE_REF=${{ github.base_ref || 'main' }}
   |                          ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/test-python-environment.yml:15:15
   |
15 |       - uses: actions/checkout@v6
   |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/test-python-environment.yml:68:15
   |
68 |         uses: actions/checkout@v6
   |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

77 findings (30 ignored, 31 suppressed, 8 fixable): 0 informational, 0 low, 0 medium, 16 high

[kaklakariada]

See also exasol/project-keeper#727