Harden GitHub Actions with dedicated zizmor workflow and CI workflow fixes

[Copilot]

This PR adds automated GitHub Actions security analysis for workflow files and applies targeted hardening changes surfaced by zizmor in existing CI. The goal is to make workflow security checks continuous, scoped, and blocking on PR changes to .github/workflows/**.

• New workflow: zizmor.yml

  • Adds a dedicated workflow at .github/workflows/zizmor.yml
  • Triggers on:
    • pull_request changes under .github/workflows/**
    • weekly schedule (0 0 * * 6)
  • Uses ubuntu-latest, timeout-minutes: 10, and least-privilege permissions (contents: read)
  • Runs zizmorcore/zizmor-action against .github/workflows
  • Configured for PR-blocking behavior when findings are present, with GitHub annotations enabled

• Hardening updates to existing CI workflow (ruby.yml)

  • Disables credential persistence in checkout:
    • actions/checkout now sets persist-credentials: false
  • Removes dependency cache path flagged for poisoning risk:
    • ruby/setup-ruby now uses bundler-cache: false

• Reporting behavior

  • Findings are surfaced via GitHub annotations (and action logs as fallback), aligned with the issue’s visibility requirement

on:
  pull_request:
    paths:
      - ".github/workflows/**"
  schedule:
    - cron: "0 0 * * 6"

permissions:
  contents: read

Original prompt

Implement issue #71 in CycloneDX/cyclonedx-ruby-gem.

Issue: "chore: Harden all GitHub Workflows using Zizmor"

Requested changes:

• Add a dedicated GitHub Actions workflow at .github/workflows/zizmor.yml.
• Use zizmor / zizmor-action to analyze all workflows in .github/workflows/**.
• Trigger on pull requests only when files under .github/workflows/** change.
• Trigger on a weekly schedule (for example 0 0 * * 6).
• Use ubuntu-latest.
• Use least-privilege permissions, defaulting to contents: read and adding only what is required.
• Add a reasonable timeout-minutes.
• If findings are detected on pull request runs, the workflow must fail so the check is blocking.
• Prefer GitHub annotations for reporting; otherwise provide clear text output in logs and/or the job summary.
• Triage and apply recommended workflow hardening changes to existing workflows in the repository as needed to address findings, or if a finding cannot be fixed in the same PR, document follow-up issues.

Acceptance criteria:

• A zizmor workflow exists in .github/workflows/ and runs on pull_request with paths: [".github/workflows/**"] and on a weekly schedule.
• PR runs are blocking: the check fails if findings are detected.
• Findings are surfaced via annotations where possible; otherwise via simple text output.
• All zizmor findings are either fixed in the PR or tracked via follow-up issues.

Please inspect the repository workflows, implement the new workflow, make any necessary hardening changes to existing workflow files, and open a pull request referencing issue #71.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: see this issue @CycloneDX/cyclonedx-ruby-gem/issues/71

Assistant: I’m waiting for your response to the confirmation dialog so I can continue with the issue work.

This pull request was created from Copilot chat.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}