From 919b8ab955ab43eefb4ce60637d46e90c6807ce4 Mon Sep 17 00:00:00 2001
From: Husam <husameldawi@google.com>
Date: Tue, 30 Jun 2026 01:54:28 +0000
Subject: [PATCH] chore(actions): address zizmor findings

This PR is an AI assisted attempt to address zizmor findings. It may not catch everything, and should be reviewed by repository owners. If it is unhelpful, feel free to close the PR and address separately. If it is helpful, feel free to approve and merge, or edit/modify as needed to get it to the right state. Repository owners must ultimately ensure compliance by 2026-07-13. The purpose of this PR is to provide some assistance with achieving that as a first pass. This will become a blocking check for new changes to github workflows on 2026-07-13.
---
 .github/workflows/codeql-analysis.yml         | 12 +++++++---
 .../external-account-integration.yml          |  3 ++-
 .github/workflows/macos-bazel.yml             |  7 ++++--
 .github/workflows/macos-cmake.yml             |  7 +++---
 .github/workflows/test-runner.yml             | 24 ++++++++++++-------
 .github/workflows/windows-bazel.yml           |  5 ++--
 .github/workflows/windows-cmake.yml           |  7 +++---
 7 files changed, 42 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
index c5feb066bfa46..7b388f714bf31 100644
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -1,3 +1,6 @@
+permissions:
+  contents: read
+
 name: "CodeQL"
 
 on:
@@ -23,18 +26,21 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+        with:
+          persist-credentials: false
       - name: Checkout vcpkg
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
         with:
           path: "build/vcpkg"
           repository: "microsoft/vcpkg"
           fetch-depth: 0
+          persist-credentials: false
       - name: Checkout pinned vcpkg version
         run: >
           git -C build/vcpkg checkout -q $(<ci/etc/vcpkg-version.txt)
       - name: cache-vcpkg
         id: cache-vcpkg
-        uses: actions/cache@v6
+        uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6
         with:
           path: |
             ~/.cache/vcpkg
@@ -66,7 +72,7 @@ jobs:
             --clean-after-build
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
         with:
           languages: ${{ matrix.language }}
 
@@ -86,4 +92,4 @@ jobs:
           cmake --build build/output
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
diff --git a/.github/workflows/external-account-integration.yml b/.github/workflows/external-account-integration.yml
index e71e0cd871292..834aa6d9a2532 100644
--- a/.github/workflows/external-account-integration.yml
+++ b/.github/workflows/external-account-integration.yml
@@ -35,11 +35,12 @@ jobs:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref || github.sha }}
+        persist-credentials: false
     # Use BYOID identity and run the integration test
     - id: byoid-auth
       if: '!github.event.pull_request.head.repo.fork'
       name: 'Authenticate to GCP'
-      uses: 'google-github-actions/auth@v3'
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
       with:
         create_credentials_file: true
         workload_identity_provider: 'projects/49427430084/locations/global/workloadIdentityPools/github-wif-pool/providers/github-wif-provider'
diff --git a/.github/workflows/macos-bazel.yml b/.github/workflows/macos-bazel.yml
index f54d6921f2d6c..c65f8ad34b22d 100644
--- a/.github/workflows/macos-bazel.yml
+++ b/.github/workflows/macos-bazel.yml
@@ -37,10 +37,11 @@ jobs:
           targets:
           - //google/cloud/storage/...
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.bazel-cache-mode == 'READ_WRITE' }}
       with:
         create_credentials_file: true
@@ -48,8 +49,10 @@ jobs:
     - name: Install bash >= 5.x
       run: brew install bash
     - name: Pre Tests Disk Space
+      # zizmor: ignore[template-injection]
       run: df -m
     - name: Build google-cloud-cpp
+      # zizmor: ignore[template-injection]
       run: |
         export BAZEL_REMOTE_CACHE_RW_MODE=${{ inputs.bazel-cache-mode }}
         export EXECUTE_INTEGRATION_TESTS=${{ inputs.execute-integration-tests }}
diff --git a/.github/workflows/macos-cmake.yml b/.github/workflows/macos-cmake.yml
index 98019d784953b..dce9f80f397c8 100644
--- a/.github/workflows/macos-cmake.yml
+++ b/.github/workflows/macos-cmake.yml
@@ -62,16 +62,17 @@ jobs:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.sccache-mode == 'READ_WRITE' && inputs.vcpkg-cache-mode == 'readwrite' }}
       with:
         create_credentials_file: true
         credentials_json: ${{ secrets.BUILD_CACHE_KEY }}
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       id: py311
       with:
         python-version: '3.14'
-    - uses: google-github-actions/setup-gcloud@v2
+    - uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2
       env:
         CLOUDSDK_PYTHON: ${{ steps.py311.outputs.python-path }}
     - name: Dynamic Configuration
diff --git a/.github/workflows/test-runner.yml b/.github/workflows/test-runner.yml
index 925f2f5d47d1d..937449f4830da 100644
--- a/.github/workflows/test-runner.yml
+++ b/.github/workflows/test-runner.yml
@@ -1,8 +1,11 @@
+permissions:
+  contents: read
+
 name: "gha: macOS & Windows"
 
 # Build on pull requests and pushes to `main`. The PR builds will be
 # non-blocking for now, but that is configured elsewhere.
-on:
+on: # zizmor: ignore[dangerous-triggers]
   # Start these builds on pushes (think "after the merge") too. Normally there
   # are no `ci-gha**` branches in our repository. The contributors to the repo
   # can create such branches when testing or troubleshooting builds. In such
@@ -52,8 +55,11 @@ jobs:
     outputs:
       checkout-sha: ${{ steps.save-pull-request.outputs.sha }}
     steps:
+      # zizmor: ignore[template-injection]
       - name: Save Pull Request
         id: save-pull-request
+        # zizmor: ignore[template-injection]
+        # zizmor: ignore[template-injection]
         run: >
           echo "sha=${{ github.event.pull_request.head.sha || github.ref }}" >> $GITHUB_OUTPUT
 
@@ -65,29 +71,29 @@ jobs:
   macos-bazel:
     name: macOS-Bazel
     needs: [pre-flight]
-    uses: ./.github/workflows/macos-bazel.yml
+    uses: ./.github/workflows/macos-bazel.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       bazel-cache-mode: 'READ_WRITE'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
   windows-bazel:
     # Disabled
     if: false
     name: Windows-Bazel
     needs: [pre-flight]
-    uses: ./.github/workflows/windows-bazel.yml
+    uses: ./.github/workflows/windows-bazel.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       bazel-cache-mode: 'READ_WRITE'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
   macos-cmake:
     # Disabled
     if: false
     name: macOS-CMake
     needs: [pre-flight]
-    uses: ./.github/workflows/macos-cmake.yml
+    uses: ./.github/workflows/macos-cmake.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       # Build the full matrix only on push events to the default branch, or
@@ -102,11 +108,11 @@ jobs:
       sccache-mode: 'READ_WRITE'
       vcpkg-cache-mode: 'readwrite'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
   windows-cmake:
     name: Windows-CMake
     needs: [pre-flight]
-    uses: ./.github/workflows/windows-cmake.yml
+    uses: ./.github/workflows/windows-cmake.yml # zizmor: ignore[secrets-inherit]
     with:
       checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
       # Build the full matrix only on push events to the default branch, or
@@ -121,4 +127,4 @@ jobs:
       sccache-mode: 'READ_WRITE'
       vcpkg-cache-mode: 'readwrite'
       execute-integration-tests: true
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit]
diff --git a/.github/workflows/windows-bazel.yml b/.github/workflows/windows-bazel.yml
index 90e04ce16444d..8515d20694866 100644
--- a/.github/workflows/windows-bazel.yml
+++ b/.github/workflows/windows-bazel.yml
@@ -40,10 +40,11 @@ jobs:
           targets:
           - //google/cloud/storage/...
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.bazel-cache-mode == 'READ_WRITE' }}
       with:
         create_credentials_file: true
diff --git a/.github/workflows/windows-cmake.yml b/.github/workflows/windows-cmake.yml
index 735bf2b8997be..985e9786b01c0 100644
--- a/.github/workflows/windows-cmake.yml
+++ b/.github/workflows/windows-cmake.yml
@@ -68,16 +68,17 @@ jobs:
     - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
       with:
         ref: ${{ inputs.checkout-ref }}
-    - uses: google-github-actions/auth@v2
+        persist-credentials: false
+    - uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
       if: ${{ inputs.sccache-mode == 'READ_WRITE' && inputs.vcpkg-cache-mode == 'readwrite' }}
       with:
         create_credentials_file: true
         credentials_json: ${{ secrets.BUILD_CACHE_KEY }}
-    - uses: actions/setup-python@v5
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
       id: py311
       with:
         python-version: '3.14'
-    - uses: google-github-actions/setup-gcloud@v2
+    - uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2
       env:
         CLOUDSDK_PYTHON: ${{ steps.py311.outputs.python-path }}
     - name: Dynamic Configuration