ci: github workflow linter and security validator

[Shurtu-gal]

Progress Tracker

Validate workflow files

The flow would be ->

1. yamlint to validate the syntax of the yaml files.
2. Check against schema using ajv to make sure the workflow files are following the correct structure and not missing any required fields.
3. Use action-lint to check for any potential security issues or best practices in the workflow files. It also checks the params for popular actions.
4. Use zizmor to check for any potential security issues in the workflow files.

Github workflows

• zizmor.yml
• add-good-first-issue-labels.yml Test Workflow Run and Test Issue Comment
• automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml - Uses GITHUB_TOKEN instead of GH_TOKEN and added pull-requests write permissions to be able write to PR issues and read PR metadata from the issue pull_request URL. Test PR and Test Workflow Run.
• automerge-for-humans-remove-ready-to-merge-label-on-edit.yml - Changed to pull_request instead of pull_request_target as secrets access not needed. Test workflow run.
• automerge-orphans.yml - GITHUB_TOKEN enough as just querying for PRs and informing in slack.
• bounty-program-commands.yml - Fix allowlist as earlier it was just collapsing to aeworxet instead of checking for either. Test PR and Test Workflow Run.
• bump.yml
• global-remover.yml - Removed this file as not needed.
• global-replicator.yml
• help-command.yml Issue Comment and Workflow
• if-docker-pr-testing.yml
• if-go-pr-testing.yml
• if-nodejs-pr-testing.yml Test Workflow Run
• if-nodejs-release.yml - Permissions were already well defined.
• if-nodejs-version-bump.yml GITHUB_TOKEN used instead of GH_TOKEN and permissions added to the workflow and the job. Test PR and Test Workflow Run.
• issues-prs-notifications.yml No permissions needed since the workflow only reads context data. Pull request target not a big problem but can have spam notifications or phishing links.
• lint-pr-title.yml - Using GITHUB_TOKEN instead of GH_TOKEN and added permissions to the workflow and the job. Test PR and Test Workflow Run
• notify-tsc-members-mention.yml - pull_request_target not a big issue for this one. Mailchimp script needs to be tightened though.
• please-take-a-look-command.yml - permissions added to the workflow. Test PR and Test Workflow Run
• release-announcements.yml Just added content read permissions and removed checkout persist credentials.
• stale-issues-prs.yml - Permissions added to the workflow and the job. Test Issue and Test Workflow Run
• transfer-issue.yml Removed that as it was not working right now.
• update-docs-on-docs-commits.yml - Just added content read permissions since the workflow uses GH_TOKEN and removed checkout persist credentials.
• update-maintainers-trigger.yaml Didn't do too much, just added content read permissions since the workflow uses GH_TOKEN.
• welcome-first-time-contrib.yml - permissions tightened and GH_TOKEN -> GITHUB_TOKEN so that pull_request_target is no longer required. Test Issue
• update-pr.yml - Test PR
• automerge.yml
• autoupdate.yml Test Workflow Run
• automerge-for-humans-merging.yml Test PR and Test Workflow Run.

Scripts

• Mailchimp scripts - Used AI for this as don't have much expertise in XSS security.
  • htmlContent.js
  • index.js
  • package.json
  • package-lock.json

Actions

• get-node-version-from-package-lock
  • action.yml
  • README.md
• slackify-markdown - Nothing to tighten here as the action only takes an input and returns an output, no API calls or anything.
  • action.yml

Add actions-permission monitoring to the issues.

Still need to verify

• issues-prs-notifications.yml - Spam notifications need to be discussed.
• global-remover.yml - Removed this file as not needed anymore

Related issue(s)
Fixes #388

[aeworxet]

@asyncapi/bounty_team

[Shurtu-gal]

Nearly everything is done. Only thing left is to integrate zizmor with validate workflow.

[Shurtu-gal]

Everything in zizmor passes now ->

zizmor --gh-token=$GH_TOKEN  --persona=auditor .github/workflows/                          
INFO audit: zizmor: 🌈 completed .github/workflows/add-good-first-issue-labels.yml
INFO audit: zizmor: 🌈 completed .github/workflows/automerge-for-humans-add-ready-to-merge-or-do-not-merge-label.yml
INFO audit: zizmor: 🌈 completed .github/workflows/automerge-for-humans-merging.yml
INFO audit: zizmor: 🌈 completed .github/workflows/automerge-for-humans-remove-ready-to-merge-label-on-edit.yml
INFO audit: zizmor: 🌈 completed .github/workflows/automerge-orphans.yml
INFO audit: zizmor: 🌈 completed .github/workflows/automerge.yml
INFO audit: zizmor: 🌈 completed .github/workflows/autoupdate.yml
INFO audit: zizmor: 🌈 completed .github/workflows/bounty-program-commands.yml
INFO audit: zizmor: 🌈 completed .github/workflows/bump.yml
INFO audit: zizmor: 🌈 completed .github/workflows/global-replicator.yml
INFO audit: zizmor: 🌈 completed .github/workflows/help-command.yml
INFO audit: zizmor: 🌈 completed .github/workflows/if-docker-pr-testing.yml
INFO audit: zizmor: 🌈 completed .github/workflows/if-go-pr-testing.yml
INFO audit: zizmor: 🌈 completed .github/workflows/if-nodejs-pr-testing.yml
INFO audit: zizmor: 🌈 completed .github/workflows/if-nodejs-release.yml
INFO audit: zizmor: 🌈 completed .github/workflows/if-nodejs-version-bump.yml
INFO audit: zizmor: 🌈 completed .github/workflows/issues-prs-notifications.yml
INFO audit: zizmor: 🌈 completed .github/workflows/lint-pr-title.yml
INFO audit: zizmor: 🌈 completed .github/workflows/notify-tsc-members-mention.yml
INFO audit: zizmor: 🌈 completed .github/workflows/please-take-a-look-command.yml
INFO audit: zizmor: 🌈 completed .github/workflows/release-announcements.yml
INFO audit: zizmor: 🌈 completed .github/workflows/stale-issues-prs.yml
INFO audit: zizmor: 🌈 completed .github/workflows/update-docs-on-docs-commits.yml
INFO audit: zizmor: 🌈 completed .github/workflows/update-maintainers-trigger.yaml
INFO audit: zizmor: 🌈 completed .github/workflows/update-pr.yml
INFO audit: zizmor: 🌈 completed .github/workflows/welcome-first-time-contrib.yml
No findings to report. Good job! (7 ignored)

[Shurtu-gal]

Actionlint problems fixed. Although $GITHUB_OUTPUT is safe inherently, doesn't hurt to be cautious.

Ref:

• https://stackoverflow.com/a/77924154
• $GITHUB_OUTPUT should not require double quoting rhysd/actionlint#470

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[Shurtu-gal]

@derberg this is ready for review now.

Some questions:

1. Do we need to limit issues and prs notifications as it can be misued for spam?
2. Removed global-remover workflow. Lemme know if that's fine.
3. Should we propagate workflow validation to other repos as well.

cc: @Florence-Njeri as it is security related.

[Shurtu-gal]

Stuff is already working in a fantastic manner:
https://github.com/asyncapi/.github/actions/runs/24212572138/job/70684951628#step:3:90

#393 (comment)

[Shurtu-gal]

Failure example:
https://github.com/asyncapi-actions-test/asyncapi-github/actions/runs/24213639690/job/70688634506

[Shurtu-gal]

Future todo:
https://github.com/8398a7/action-slack/ is archived but needs to be done separately

[Florence-Njeri]

All the changes look good to me, just one question @Shurtu-gal