Add linter for GitHub actions

[ArBridgeman]

Summary

GitHub actions might introduce vulnerabilities into projects. Currently our linter Sonar does not validate actions.

We should add a linter for GitHub actions, e.g. https://github.com/zizmorcore/zizmor

zizmor can be installed with poetry. We could use the command directly or build a nox session around it.
probably would be helpful if we allow projects eventually to use the BaseConfig option for this stuff too, add to the checks.yml, but we first need to resolve the high errors or it would be annoying.

Possible Points

• switch github actions to pins from BaseConfig
• nox session to compare remote version sha to BaseConfig to say if anything can be updated and what kind of human readable version change it is. maybe with link to release notes?
• resolve more zizmor errors
• put zizmor in a nox session?
• consider if we should enable zizmor via checks.yml -> think we might want to think about how in non-PTB templates we'd update version.... (an idea is allowing them to have a template folder or we have targets they replace)

[ArBridgeman]

❯ poetry run -- zizmor --min-severity high ./
 INFO zizmor: 🌈 zizmor v1.24.1
 INFO audit: zizmor: 🌈 completed ./.github/actions/python-environment/action.yml
 INFO audit: zizmor: 🌈 completed ./.github/actions/security-issues/action.yml
 INFO audit: zizmor: 🌈 completed ./.github/dependabot.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/build-and-publish.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/cd.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/check-release-tag.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/checks.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/ci.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/gh-pages.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/matrix-all.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/matrix-exasol.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/matrix-python.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/merge-gate.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/pr-merge.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/report.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/slow-checks.yml
 INFO audit: zizmor: 🌈 completed ./.github/workflows/test-python-environment.yml
 INFO audit: zizmor: 🌈 completed ./exasol/toolbox/templates/github/dependabot.yml
error[template-injection]: code injection via template expansion
  --> ./.github/actions/python-environment/action.yml:48:29
   |
47 |       run: |
   |       --- this run block
48 |         POETRY_VERSION="${{ inputs.poetry-version }}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py"
   |                             ^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/python-environment/action.yml:80:28
   |
79 |       run: |
   |       --- this run block
80 |         EXTRAS=$(echo "${{ inputs.extras }}" | tr -d ' ')
   |                            ^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/python-environment/action.yml:92:49
   |
90 |       run: |
   |       --- this run block
91 |         poetry run python --version
92 |         poetry run python --version | grep "${{ inputs.python-version }}"
   |                                                 ^^^^^^^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/actions/python-environment/action.yml:37:13
   |
37 |       uses: actions/setup-python@v6
   |             ^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/actions/python-environment/action.yml:71:13
   |
71 |       uses: actions/cache@v5
   |             ^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[github-env]: dangerous use of environment file
  --> ./.github/actions/python-environment/action.yml:47:7
   |
47 | /       run: |
48 | |         POETRY_VERSION="${{ inputs.poetry-version }}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py"
49 | |         echo "$HOME/.local/bin" >> $GITHUB_PATH
   | |_______________________________________________^ write to GITHUB_PATH may allow code execution
   |
   = note: audit confidence → Low

error[template-injection]: code injection via template expansion
  --> ./.github/actions/security-issues/action.yml:47:13
   |
46 |       run: |
   |       --- this run block
47 |         ${{ inputs.command }} | tee input
   |             ^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/security-issues/action.yml:52:37
   |
51 |       run: |
   |       --- this run block
52 |         tbx security cve convert ${{inputs.format}} < input | tee cves.jsonl
   |                                     ^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/actions/security-issues/action.yml:67:48
   |
66 |       run: |
   |       --- this run block
67 |         tbx security cve create --project "${{ inputs.project }}" < issues.jsonl | tee created.jsonl
   |                                                ^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
  --> ./.github/actions/security-issues/action.yml:35:13
   |
35 |       uses: actions/setup-python@v6
   |             ^^^^^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/check-release-tag.yml:28:50
   |
28 |         run: "[[ `poetry version --short` == ${{ github.ref_name }} ]]"
   |         --- this run block                       ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[unpinned-uses]: unpinned action reference
   --> ./.github/workflows/checks.yml:225:15
    |
225 |         uses: actions/checkout@v6
    |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
    |
    = note: audit confidence → High

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/test-python-environment.yml:21:21
   |
19 |         run: |
   |         --- this run block
20 |           # Always run if the current branch is main
21 |           if [ "${{ github.ref_name }}" == "main" ]; then
   |                     ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High
   = note: this finding has an auto-fix

error[template-injection]: code injection via template expansion
  --> ./.github/workflows/test-python-environment.yml:27:26
   |
19 |         run: |
   |         --- this run block
...
27 |             BASE_REF=${{ github.base_ref || 'main' }}
   |                          ^^^^^^^^^^^^^^^ may expand into attacker-controllable code
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/test-python-environment.yml:15:15
   |
15 |       - uses: actions/checkout@v6
   |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

error[unpinned-uses]: unpinned action reference
  --> ./.github/workflows/test-python-environment.yml:68:15
   |
68 |         uses: actions/checkout@v6
   |               ^^^^^^^^^^^^^^^^^^^ action is not pinned to a hash (required by blanket policy)
   |
   = note: audit confidence → High

77 findings (30 ignored, 31 suppressed, 8 fixable): 0 informational, 0 low, 0 medium, 16 high