ci: add zizmor pre-commit hook and harden GitHub Actions workflows

[thrix-bot]

Summary

• Add zizmor as a pre-commit hook to lint GitHub Actions workflows for security issues
• Pin all GitHub Actions (actions/checkout, actions/setup-python, peaceiris/actions-gh-pages, peter-evans/create-pull-request) to commit SHAs
• Pin all pre-commit hooks (shellcheck-py, pre-commit-hooks, gitleaks, markdownlint-cli, codespell, zizmor-pre-commit) to commit SHAs
• Add persist-credentials: false to actions/checkout steps in mkdocs.yml and refresh-build-fmf.yml
• Suppress unpinned-images for the Testing Farm container (always want latest)
• Suppress secrets-outside-env for repository secrets (GitHub environments are overkill here)
• Update container.yml.j2 template to match generated container.yml suppressions

Assisted-by: Claude Code

Summary by Sourcery

Harden CI and GitHub Actions security by pinning dependencies and adding workflow linting.

New Features:

• Introduce zizmor as a pre-commit hook to lint GitHub Actions workflows for security issues.

Enhancements:

• Pin all configured pre-commit hooks to specific commit SHAs.
• Pin all GitHub Actions used in mkdocs and refresh-build-fmf workflows to specific commit SHAs.
• Disable credential persistence for checkout steps in mkdocs and refresh-build-fmf workflows.
• Document justified zizmor suppressions for Testing Farm container image pinning and secrets usage in container workflows and their template.

[sourcery-ai]

Reviewer's Guide

This PR hardens CI by pinning all GitHub Actions and pre-commit hooks to immutable commit SHAs, introduces zizmor-based security linting for workflows, and adds explicit suppressions and settings needed to keep existing container behavior while satisfying the new linting rules.

Flow diagram for pre-commit and workflow security linting with zizmor

flowchart LR
  A[Developer edits workflows and scripts] --> B[git commit]
  B --> C[pre-commit runs]

  subgraph Pre_commit_hooks
    C1[Shellcheck_py]
    C2[Pre_commit_hooks]
    C3[Gitleaks]
    C4[Markdownlint_cli]
    C5[Codespell]
    C6[Zizmor_pre_commit lints GitHub_Actions_workflows]
  end

  C --> C1
  C --> C2
  C --> C3
  C --> C4
  C --> C5
  C --> C6

  C1 --> D{All hooks pass?}
  C2 --> D
  C3 --> D
  C4 --> D
  C5 --> D
  C6 --> D

  D -- No --> E[Developer fixes issues and recommits]
  D -- Yes --> F[Push to GitHub]

  F --> G[GitHub Actions workflows run with pinned action SHAs]

  subgraph Zizmor_suppressions_in_CI
    H1[Testing_Farm_container image latest with ignore_unpinned_images]
    H2[Secrets in env with ignore_secrets_outside_env]
  end

  G --> H1
  G --> H2

  G --> I[Workflows complete with hardened security configuration]

Loading

File-Level Changes

Change	Details	Files
Pin all pre-commit hooks to specific commit SHAs and add zizmor as a new pre-commit hook for GitHub Actions security linting.	Replace tag-based pre-commit revisions with explicit commit SHAs for shellcheck-py, pre-commit-hooks, gitleaks, markdownlint-cli, and codespell while preserving existing versions via comments. Add the woodruffw/zizmor-pre-commit repository with a pinned SHA and enable the zizmor hook.	.pre-commit-config.yaml
Harden GitHub Actions workflows by pinning actions to SHAs and disabling credential persistence where appropriate.	Replace version-tag references for actions/checkout, actions/setup-python, peaceiris/actions-gh-pages, and peter-evans/create-pull-request with pinned commit SHAs, annotated with their corresponding major versions. Add persist-credentials: false to actions/checkout steps in mkdocs.yml and refresh-build-fmf.yml to avoid leaking the default token into subsequent steps.	.github/workflows/mkdocs.yml .github/workflows/refresh-build-fmf.yml
Align container workflow and its template with zizmor requirements via targeted suppressions while keeping existing image and secret usage.	Annotate the Testing Farm container image with a zizmor ignore for unpinned-images to continue using the latest tag intentionally. Add zizmor ignore annotations for secrets-outside-env on TESTING_FARM_API_TOKEN and GHCR_TOKEN environment variables. Mirror these zizmor suppression comments in the container workflow Jinja2 template to keep generated workflows consistent.	.github/workflows/container.yml .github/workflows/container.yml.j2

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• For the zizmor suppressions in the container workflow (unpinned-images and secrets-outside-env), consider expanding the inline comments to briefly explain the rationale (e.g., needing latest for Testing Farm CLI and why env-based secrets are acceptable here) so future changes don’t accidentally remove or misuse these ignores.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- For the `zizmor` suppressions in the container workflow (`unpinned-images` and `secrets-outside-env`), consider expanding the inline comments to briefly explain the rationale (e.g., needing `latest` for Testing Farm CLI and why env-based secrets are acceptable here) so future changes don’t accidentally remove or misuse these ignores.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}