ci: pin all GitHub Actions to SHAs and add zizmor security linter

davidgamero · davidgamero · commit 8542fa33bcdc · 2026-03-27T07:11:39.000-04:00
Pin remaining mutable tag references to full commit SHAs with version
comments for traceability. Add zizmor as a CI job to enforce SHA pinning
and detect SHA-to-version-comment mismatches on every push and PR.

Also fix missing @ separator in codeql-analysis.yml analyze action reference.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -38,15 +38,15 @@ jobs:
 
         steps:
             - name: Checkout repository
-              uses: actions/checkout@v6.0.2
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
             # Initializes the CodeQL tools for scanning.
             - name: Initialize CodeQL
-              uses: github/codeql-action/init@v4
+              uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
               with:
                   languages: ${{ matrix.language }}
 
             - name: Autobuild
-              uses: github/codeql-action/autobuild@v4
+              uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
             - name: Perform CodeQL Analysis
-              uses: github/codeql-action/analyze@v4
+              uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
diff --git a/.github/workflows/deploy-docs.yml b/.github/workflows/deploy-docs.yml
@@ -8,9 +8,9 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - name: Checkout
-              uses: actions/checkout@v6.0.2
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             - name: Setup Node.js
-              uses: actions/setup-node@v6
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: '20'
             # Pre-check to validate that versions match between package.json
@@ -23,7 +23,7 @@ jobs:
               run: npm run docs
 
             - name: Deploy docs
-              uses: JamesIves/github-pages-deploy-action@v4.8.0
+              uses: JamesIves/github-pages-deploy-action@d92aa235d04922e8f08b40ce78cc5442fcfbfa2f # v4.8.0
               with:
                   branch: gh-pages # The branch the action should deploy to.
                   folder: docs # The folder the action should deploy.
diff --git a/.github/workflows/generate-javascript.yml b/.github/workflows/generate-javascript.yml
@@ -1,56 +1,56 @@
 name: Generate
 
 on:
-  workflow_dispatch:
-    inputs:
-      kubernetesBranch:
-        type: string
-        required: true
-        description: 'The remote kubernetes release branch to fetch openapi spec. .e.g. "release-1.23"'
-      genCommit:
-        type: string
-        required: true
-        default: 'b461333bb57fa2dc2152f939ed70bac3cef2c1f6'
-        description: 'The commit to use for the kubernetes-client/gen repo'
+    workflow_dispatch:
+        inputs:
+            kubernetesBranch:
+                type: string
+                required: true
+                description: 'The remote kubernetes release branch to fetch openapi spec. .e.g. "release-1.23"'
+            genCommit:
+                type: string
+                required: true
+                default: 'b461333bb57fa2dc2152f939ed70bac3cef2c1f6'
+                description: 'The commit to use for the kubernetes-client/gen repo'
 
 permissions:
-  contents: write
-  pull-requests: write
+    contents: write
+    pull-requests: write
 
 jobs:
-  generate:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Javascript
-        uses: actions/checkout@v6.0.2
-      - name: Setup Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: '20'
-      - name: Generate Openapi
-        run: |
-          echo "export KUBERNETES_BRANCH=${{ github.event.inputs.kubernetesBranch }}" >> ./settings
-          echo "export GEN_COMMIT=${{ github.event.inputs.genCommit }}" >> ./settings
-          ./generate-client.sh
-      - name: Generate Branch Name
-        run: |
-          SUFFIX=$(openssl rand -hex 4)
-          echo "BRANCH=automated-generate-$SUFFIX" >> $GITHUB_ENV
-      - name: Commit and push
-        run: |
-          # Commit and push
-          git config user.email "k8s.ci.robot@gmail.com"
-          git config user.name "Kubernetes Prow Robot"
-          git checkout -b "$BRANCH"
-          git add .
-          # we modify the settings file in "Generate Openapi" but do not want to commit this
-          git reset settings
-          git commit -s -m 'Automated openapi generation from ${{ github.event.inputs.kubernetesBranch }}'
-          git push origin "$BRANCH"
-      - name: Pull Request
-        uses: repo-sync/pull-request@v2
-        with:
-          source_branch: ${{ env.BRANCH }}
-          destination_branch: ${{ github.ref_name }}
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          pr_title: "Automated Generate from openapi ${{ github.event.inputs.kubernetesBranch }}"
+    generate:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout Javascript
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            - name: Setup Node
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+              with:
+                  node-version: '20'
+            - name: Generate Openapi
+              run: |
+                  echo "export KUBERNETES_BRANCH=${{ github.event.inputs.kubernetesBranch }}" >> ./settings
+                  echo "export GEN_COMMIT=${{ github.event.inputs.genCommit }}" >> ./settings
+                  ./generate-client.sh
+            - name: Generate Branch Name
+              run: |
+                  SUFFIX=$(openssl rand -hex 4)
+                  echo "BRANCH=automated-generate-$SUFFIX" >> $GITHUB_ENV
+            - name: Commit and push
+              run: |
+                  # Commit and push
+                  git config user.email "k8s.ci.robot@gmail.com"
+                  git config user.name "Kubernetes Prow Robot"
+                  git checkout -b "$BRANCH"
+                  git add .
+                  # we modify the settings file in "Generate Openapi" but do not want to commit this
+                  git reset settings
+                  git commit -s -m 'Automated openapi generation from ${{ github.event.inputs.kubernetesBranch }}'
+                  git push origin "$BRANCH"
+            - name: Pull Request
+              uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1
+              with:
+                  source_branch: ${{ env.BRANCH }}
+                  destination_branch: ${{ github.ref_name }}
+                  github_token: ${{ secrets.GITHUB_TOKEN }}
+                  pr_title: 'Automated Generate from openapi ${{ github.event.inputs.kubernetesBranch }}'
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -34,9 +34,9 @@ jobs:
         environment: production
         steps:
             - name: Checkout Javascript
-              uses: actions/checkout@v6.0.2
+              uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
             - name: Setup Node
-              uses: actions/setup-node@v6
+              uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: '25'
                   registry-url: 'https://registry.npmjs.org'
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -14,8 +14,8 @@ jobs:
                 node: ['25', '24', '23', '22', '20', '18']
         name: Node ${{ matrix.node }} validation
         steps:
-            - uses: actions/checkout@v6.0.2
-            - uses: actions/setup-node@v6
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+            - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: ${{ matrix.node }}
             # Pre-check to validate that versions match between package.json
@@ -33,5 +33,18 @@ jobs:
             - run: npm audit --audit-level=critical
             - run: npm run build-with-tests && npm run test-transpiled
             - name: Create k8s Kind Cluster
-              uses: helm/kind-action@v1
+              uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1.14.0
             - run: npm run integration-test
+    zizmor:
+        runs-on: ubuntu-latest
+        name: GitHub Actions security lint
+        permissions:
+            contents: read
+        steps:
+            - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
+            - uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2
+              with:
+                  advanced-security: false
+                  persona: pedantic
