Github action fixes

.github/workflows/backport.yaml

@@ -1,6 +1,7 @@
 name: Pull Request backporting
 
 on:
+  # zizmor: ignore[dangerous-triggers] only runs on merged PRs, never checks out code
   pull_request_target:
     types:
       - closed
@@ -28,16 +29,16 @@ jobs:
     steps:
       - name: Generate a token from the orc-backport-bot github-app
         id: generate_token
-        uses: getsentry/action-github-app-token@5c1e90706fe007857338ac1bfbd7a4177db2f789
+        uses: getsentry/action-github-app-token@5c1e90706fe007857338ac1bfbd7a4177db2f789 # tag=v4.0.0
         with:
-          app_id: ${{ secrets.BACKPORT_APP_ID }}
-          private_key: ${{ secrets.BACKPORT_APP_PRIVATE_KEY }}
+          app_id: ${{ secrets.BACKPORT_APP_ID }} # zizmor: ignore[secrets-outside-env]
+          private_key: ${{ secrets.BACKPORT_APP_PRIVATE_KEY }} # zizmor: ignore[secrets-outside-env]
 
       - name: Backporting
         if: >
           contains(github.event.pull_request.labels.*.name, 'semver:patch')
           || contains(github.event.label.name, 'semver:patch')
-        uses: kiegroup/git-backporting@82e45d73f8d39bc3d7eb4b41859d313696c93ed9
+        uses: kiegroup/git-backporting@82e45d73f8d39bc3d7eb4b41859d313696c93ed9 # tag=v4.9.0
         with:
           target-branch: release-1.0
           pull-request: ${{ github.event.pull_request.url }}

.github/workflows/check-pr-labels.yaml

@@ -1,14 +1,16 @@
 name: Ready
 on:
   merge_group:
-  pull_request_target:
+  pull_request:
     types:
       - labeled
       - opened
       - reopened
       - synchronize
       - unlabeled
 
+permissions: {}
+
 jobs:
   hold:
     if: github.event.pull_request.merged == false

.github/workflows/container_image.yaml

@@ -17,17 +17,18 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6.0.2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
       with:
         # Required for git describe to generate correct output for populating
         # build variables
         fetch-depth: 0
         fetch-tags: true
+        persist-credentials: false
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # tag=v4
 
     - run: |
-        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io
+        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env]
         # Ensure we source identical build arguments for both builds
         source hack/version.sh && version::get_git_vars && version::get_build_date && \
           make docker-buildx IMG=${{ env.image_tag_branch }} && \

.github/workflows/e2e.yaml

@@ -29,17 +29,19 @@ jobs:
     runs-on: ubuntu-${{ matrix.ubuntu_version }}
 
     steps:
-    - uses: actions/checkout@v6.0.2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        persist-credentials: false
 
     - name: Deploy devstack
-      uses: gophercloud/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1
+      uses: gophercloud/devstack-action@60ca1042045c0c9e3e001c64575d381654ffcba1 # tag=v0.19
       with:
         enable_workaround_docker_io: 'false'
         branch: ${{ matrix.openstack_version }}
         enabled_services: "openstack-cli-server,neutron-trunk"
 
     - name: Deploy a Kind Cluster
-      uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc
+      uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # tag=v1.14.0
       with:
         cluster_name: orc
 
@@ -66,7 +68,7 @@ jobs:
 
     - name: Upload logs artifacts on failure
       if: failure()
-      uses: actions/upload-artifact@v7
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7
       with:
         name: e2e-${{ matrix.name }}-${{ github.run_id }}
         path: /tmp/artifacts/*

.github/workflows/ensure-labels.yaml

@@ -13,8 +13,10 @@ jobs:
   ensure:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6.0.2
-      - uses: micnncim/action-label-syncer@v1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
+      - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # tag=v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:

.github/workflows/generate.yaml

@@ -13,7 +13,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - run: |
           make generate

.github/workflows/go-lint.yaml

@@ -13,7 +13,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6.0.2
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Calculate go version
         id: vars

.github/workflows/label-issue.yaml

@@ -7,7 +7,7 @@ on:
 jobs:
   clear_needinfo:
     name: Clear needinfo
-    if: ${{ github.event.issue.user.login }} == ${{ github.event.comment.user.login }}
+    if: github.event.issue.user.login == github.event.comment.user.login
     runs-on: ubuntu-latest
     permissions:
       issues: write

.github/workflows/label-pr.yaml

@@ -1,92 +1,95 @@
 name: Label PR
 on:
+  # zizmor: ignore[dangerous-triggers] edits job only runs actions/labeler, no code checkout
   pull_request_target:
     types:
       - opened
       - synchronize
       - reopened
-permissions:
-  contents: read
-  pull-requests: write
+  # zizmor: ignore[dangerous-triggers] semver-label job never checks out or executes untrusted code
+  workflow_run:
+    workflows: ["Semver analysis"]
+    types:
+      - completed
+
+permissions: {}
 
 jobs:
-  semver:
+  semver-label:
+    if: github.event_name == 'workflow_run'
     runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      pull-requests: write
     steps:
-    - uses: actions/checkout@v6.0.2
-      with:
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-        token: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: Rebase the PR against origin/github.base_ref to ensure actual API compatibility
+    - name: Get PR number
+      id: pr
       run: |
-        git config --global user.email "localrebase@k-orc.cloud"
-        git config --global user.name "Local rebase"
-        git rebase -i origin/${{ github.base_ref }}
+        PR_NUMBER=$(gh api "repos/$REPO/commits/$HEAD_SHA/pulls" --jq '.[0].number')
+        if [ -z "$PR_NUMBER" ]; then
+          echo "Could not determine PR number" >&2
+          exit 1
+        fi
+        echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
       env:
-        GIT_SEQUENCE_EDITOR: '/usr/bin/true'
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        REPO: ${{ github.repository }}
+        HEAD_SHA: ${{ github.event.workflow_run.head_sha }}
 
-    - name: Calculate go version
-      id: vars
-      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+    - name: Report failure
+      if: github.event.workflow_run.conclusion == 'failure'
+      run: |
+        gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch"
+        gh issue comment "$NUMBER" --body "$BODY"
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_REPO: ${{ github.repository }}
+        NUMBER: ${{ steps.pr.outputs.number }}
+        BODY: >
+          Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.event.workflow_run.id }}) for details.
 
-    - name: Set up Go
-      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
+    - name: Download semver results
+      if: github.event.workflow_run.conclusion == 'success'
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # tag=v4.3.0
       with:
-        go-version: ${{ steps.vars.outputs.go_version }}
-
-    - name: Checking Go API Compatibility
-      id: go-apidiff
-      # if semver=major, this will return RC=1, so let's ignore the failure so label
-      # can be set later. We check for actual errors in the next step.
-      continue-on-error: true
-      uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685
+        name: semver-results
+        run-id: ${{ github.event.workflow_run.id }}
+        github-token: ${{ secrets.GITHUB_TOKEN }}
 
-    # go-apidiff returns RC=1 when semver=major, which makes the workflow to return
-    # a failure. Instead let's just return a failure if go-apidiff failed to run.
-    - name: Return an error if Go API Compatibility couldn't be verified
-      if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major'
-      run: exit 1
+    - name: Read semver type
+      if: github.event.workflow_run.conclusion == 'success'
+      id: semver
+      run: echo "type=$(cat semver-type)" >> $GITHUB_OUTPUT
 
     - name: Add label semver:patch
-      if: steps.go-apidiff.outputs.semver-type == 'patch'
+      if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'patch'
       run: gh pr edit "$NUMBER" --add-label "semver:patch" --remove-label "semver:major,semver:minor"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
+        NUMBER: ${{ steps.pr.outputs.number }}
 
     - name: Add label semver:minor
-      if: steps.go-apidiff.outputs.semver-type == 'minor'
+      if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'minor'
       run: gh pr edit "$NUMBER" --add-label "semver:minor" --remove-label "semver:major,semver:patch"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
+        NUMBER: ${{ steps.pr.outputs.number }}
 
     - name: Add label semver:major
-      if: steps.go-apidiff.outputs.semver-type == 'major'
+      if: github.event.workflow_run.conclusion == 'success' && steps.semver.outputs.type == 'major'
       run: gh pr edit "$NUMBER" --add-label "semver:major" --remove-label "semver:minor,semver:patch"
       env:
         GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
-
-    - name: Report failure
-      if: failure()
-      run: |
-        gh pr edit "$NUMBER" --remove-label "semver:major,semver:minor,semver:patch"
-        gh issue comment "$NUMBER" --body "$BODY"
-        exit 1
-      env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GH_REPO: ${{ github.repository }}
-        NUMBER: ${{ github.event.pull_request.number }}
-        BODY: >
-          Failed to assess the semver bump. See [logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for details.
+        NUMBER: ${{ steps.pr.outputs.number }}
 
   edits:
+    if: github.event_name == 'pull_request_target'
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
-    - uses: actions/labeler@v6
+    - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # tag=v6

.github/workflows/pr-dependabot.yaml

@@ -20,6 +20,8 @@ jobs:
     steps:
     - name: Check out code into the Go module directory
       uses: actions/checkout@0c366fd6a839edf440554fa01a7085ccba70ac98 # tag=v4.2.2
+      with:
+        persist-credentials: true # zizmor: ignore[artipacked] EndBug/add-and-commit needs git credentials to push
     - name: Calculate go version
       id: vars
       run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT

.github/workflows/release_image.yaml

@@ -17,19 +17,20 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v6.0.2
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
       with:
         # Required for git describe to generate correct output for populating
         # build variables
         fetch-depth: 0
         fetch-tags: true
+        persist-credentials: false
     - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v4
+      uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # tag=v4
     - name: Install build dependencies
       run: sudo apt-get install -y libgpgme-dev
 
     - run: |
-        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io
+        docker login -u="${{ secrets.QUAY_USERNAME }}" -p="${{ secrets.QUAY_TOKEN }}" quay.io # zizmor: ignore[secrets-outside-env]
         make docker-buildx IMG=${{ env.image_tag }}
         make build-bundle-image BUNDLE_IMG=${{ env.bundle_image_tag }}
         make docker-push IMG=${{ env.bundle_image_tag }}

.github/workflows/semver.yaml

@@ -0,0 +1,66 @@
+name: Semver analysis
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        fetch-depth: 0
+        ref: ${{ github.event.pull_request.head.sha }}
+        persist-credentials: false
+
+    - name: Rebase the PR against base ref to ensure actual API compatibility
+      run: |
+        git config --global user.email "localrebase@k-orc.cloud"
+        git config --global user.name "Local rebase"
+        git rebase -i origin/$BASE_REF
+      env:
+        GIT_SEQUENCE_EDITOR: '/usr/bin/true'
+        BASE_REF: ${{ github.base_ref }}
+
+    - name: Calculate go version
+      id: vars
+      run: echo "go_version=$(make go-version)" >> $GITHUB_OUTPUT
+
+    - name: Set up Go
+      uses: actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # tag=v6.3.0
+      with:
+        go-version: ${{ steps.vars.outputs.go_version }}
+
+    - name: Checking Go API Compatibility
+      id: go-apidiff
+      # if semver=major, this will return RC=1, so let's ignore the failure so label
+      # can be set later. We check for actual errors in the next step.
+      continue-on-error: true
+      uses: joelanford/go-apidiff@60c4206be8f84348ebda2a3e0c3ac9cb54b8f685 # tag=v0.8.3
+
+    # go-apidiff returns RC=1 when semver=major, which makes the workflow to return
+    # a failure. Instead let's just return a failure if go-apidiff failed to run.
+    - name: Return an error if Go API Compatibility couldn't be verified
+      if: steps.go-apidiff.outcome != 'success' && steps.go-apidiff.outputs.semver-type != 'major'
+      run: exit 1
+
+    - name: Save semver result
+      if: always()
+      run: |
+        mkdir -p semver-results
+        echo "$SEMVER_TYPE" > semver-results/semver-type
+      env:
+        SEMVER_TYPE: ${{ steps.go-apidiff.outputs.semver-type }}
+
+    - name: Upload semver results
+      if: always()
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # tag=v7
+      with:
+        name: semver-results
+        path: semver-results/