chore: harden all GitHub workflows using zizmor

[Copilot]

Adds automated GitHub Actions security analysis via zizmor and addresses all findings it surfaces in the existing workflows and Dependabot configuration.

New workflow: .github/workflows/zizmor.yml

• Triggers on pull_request (path-filtered to .github/workflows/** and .github/dependabot.yml) and weekly schedule (0 0 * * 6)
• Also triggers on push for the same paths
• PR runs are blocking: workflow fails on any findings
• Findings surfaced as GitHub annotations (annotations: true, advanced-security: false)
• Least-privilege permissions: contents: read only

Findings fixed: artipacked (credential persistence via artifacts)

All actions/checkout steps across three workflows were missing persist-credentials: false, allowing tokens to persist into artifacts. Fixed in:

• .github/workflows/docker.yml — 1 step
• .github/workflows/python.yml — 7 steps
• .github/workflows/release.yml — 4 steps

- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
  with:
    persist-credentials: false

Findings fixed: dependabot-cooldown (insufficient cooldown in Dependabot updates)

All three ecosystems in .github/dependabot.yml were missing a cooldown configuration. Added cooldown: default-days: 7 to each:

• github-actions
• docker
• pip

After these fixes, zizmor reports zero findings across all workflows and configuration files.

AI Tool Disclosure

• My contribution includes AI-generated content, as disclosed below:
  • AI Tools: GitHub Copilot
  • LLMs and versions: Claude Sonnet 4.5
  • Prompts: Implement zizmor workflow and fix all findings per issue requirements

Affirmation

• My code follows the CONTRIBUTING.md guidelines

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Coverage ∅ diff coverage · +0.00% coverage variation

Metric	Results
Coverage variation	✅ +0.00% coverage variation (-1.00%)
Diff coverage	✅ ∅ diff coverage (80.00%)

View coverage diff in Codacy

Coverage variation details

	Coverable lines	Covered lines	Coverage
Common ancestor commit (3d97dee)	1152	1117	96.96%
Head commit (42d8b4b)	1152 (+0)	1117 (+0)	96.96% (+0.00%)

Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>

Diff coverage details

	Coverable lines	Covered lines	Diff coverage
Pull request (#1054)	0	0	∅ (not applicable)

Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[jkowalleck]

 INFO zizmor: 🌈 zizmor v1.24.1
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/docker.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/python.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/release.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/zizmor.yml
Warning: dependabot.yml:5: insufficient cooldown in Dependabot updates: missing cooldown configuration
Warning: dependabot.yml:15: insufficient cooldown in Dependabot updates: missing cooldown configuration
Warning: dependabot.yml:27: insufficient cooldown in Dependabot updates: missing cooldown configuration
Error: Process completed with exit code 13.

@copilot zizmor reports some findings. fix them .

[Copilot]

 INFO zizmor: 🌈 zizmor v1.24.1
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml

...

Fixed in 42d8b4b. Added cooldown: default-days: 7 to all three ecosystems in dependabot.yml using zizmor's auto-fix. Also updated the zizmor workflow trigger paths to include .github/dependabot.yml. zizmor now reports zero findings across all files.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.zizmor.sh
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)