Add zizmor lint

.github/workflows/_unit_test.yml

@@ -36,9 +36,12 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
     - name: Generate lockfile
       id: lockfile
+      env:
+        LOCKFILE: lockfile-${{ inputs.alias }}-${{ github.run_id }}
       run: |
         bundle lock
-        echo "lockfile=lockfile-${{ inputs.alias }}-${{ github.run_id }}" >> $GITHUB_OUTPUT
+        echo "lockfile=$LOCKFILE" >> $GITHUB_OUTPUT
+
     - name: Upload lockfile
       uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
       with:

.github/workflows/build-gem.yml

@@ -37,18 +37,13 @@ jobs:
           bundler-cache: true # runs 'bundle install' and caches installed gems automatically
       - name: Patch version
         if: ${{ matrix.type != 'final' }}
+        env:
+          GHA_RUN_ID: ${{ github.run_id }}
+          GIT_REF: ${{ github.ref }}
+          GIT_SHA: ${{ github.sha }}
         run: |
-          # Obtain context information
-          gha_run_id='${{ github.run_id }}'
-          git_ref='${{ github.ref }}'
-          git_sha='${{ github.sha }}'
+          .gitlab/patch_gem_version.sh gha $GHA_RUN_ID $GIT_REF $GIT_SHA;
 
-          # Output info for CI debug
-          echo gha_run_id="${gha_run_id}"
-          echo git_ref="${git_ref}"
-          echo git_sha="${git_sha}"
-
-          .gitlab/patch_gem_version.sh gha $gha_run_id $git_ref $git_sha;
       - name: Patch gem host
         if: ${{ matrix.type != 'final' }}
         run: |

.github/workflows/check.yml

@@ -112,6 +112,25 @@ jobs:
         env:
           SEMGREP_RULES: p/default
 
+  zizmor:
+    name: zizmor
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: Install the latest version of uv
+        uses: astral-sh/setup-uv@v5
+
+      - name: Run zizmor 🌈
+        run: uvx zizmor --format sarif .
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
   complete:
     name: Static Analysis (complete)
     needs:
@@ -121,6 +140,7 @@ jobs:
       - 'semgrep'
       - 'dd-software-composition-analysis'
       - 'dd-static-analysis'
+      - 'zizmor'
     runs-on: ubuntu-24.04
     steps:
       - run: echo "Done"

.github/workflows/system-tests.yml

@@ -87,8 +87,11 @@ jobs:
         run: |
           docker image list
       - name: Log in to the Container registry
-        run: |
-          echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Tag image for CI run
         run: docker tag ${{ matrix.image.internal }} ${{ env.REPO }}/system-tests/${{ matrix.image.name }}:gha${{ github.run_id }}-g${{ github.sha }}
       - name: Push image for CI run
@@ -182,8 +185,11 @@ jobs:
             docker pull "${{ env.REPO }}/system-tests/${{ matrix.library.name }}/${{ matrix.image }}-${{ matrix.app }}:g${sha}" || true
           done
       - name: Log in to the Container registry
-        run: |
-          echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - name: Build
         run: |
           cache_from=()
@@ -470,8 +476,11 @@ jobs:
     name: Cleanup (${{ matrix.image }})
     steps:
       - name: Log in to the Container registry
-        run: |
-          echo ${{ secrets.GITHUB_TOKEN }} | docker login ${{ env.REGISTRY }} -u ${{ github.actor }} --password-stdin
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
       - uses: actions/delete-package-versions@e5bc658cc4c965c472efe991f8beea3981499c55 # v5.0.0
         with:
           package-version-ids: "gha${{ github.run_id }}-g${{ github.sha }}"

.github/workflows/test.yml

@@ -147,9 +147,13 @@ jobs:
     #
     # This is a workaround to manually set the correct git commit sha for the pull request event.
     - if: github.event_name == 'pull_request'
-      run: echo "DD_GIT_COMMIT_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+      env:
+        DD_GIT_COMMIT_SHA: ${{ github.event.pull_request.head.sha }}
+      run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> $GITHUB_ENV
     - if: github.event_name != 'pull_request'
-      run: echo "DD_GIT_COMMIT_SHA=${{ github.sha }}" >> $GITHUB_ENV
+      env:
+        DD_GIT_COMMIT_SHA: ${{ github.sha }}
+      run: echo "DD_GIT_COMMIT_SHA=$DD_GIT_COMMIT_SHA" >> $GITHUB_ENV
     - run: echo $DD_GIT_COMMIT_SHA
     - name: Upload junit reports
       run: datadog-ci junit upload --verbose tmp/rspec/