[ci] enforce 'zizmor' checks in CI (#7218)

Author: jameslamb

.github/workflows/build.yml

@@ -15,6 +15,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 env:
   # tell scripts where to put artifacts
   BUILD_ARTIFACTSTAGINGDIRECTORY: '${{ github.workspace }}/artifacts'
@@ -23,6 +28,8 @@ jobs:
   archive:
     runs-on: ubuntu-latest
     timeout-minutes: 15
+    permissions:
+      contents: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -64,6 +71,8 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - archive
+    permissions:
+      statuses: read
     steps:
       - name: Note that all tests succeeded
         uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2

.github/workflows/cpp.yml

@@ -13,6 +13,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 env:
   # tell scripts where to put artifacts
   # (this variable name is left over from when jobs ran on Azure DevOps)
@@ -28,6 +33,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     container: ${{ matrix.container }}
     timeout-minutes: 60
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -141,6 +148,8 @@ jobs:
     runs-on: ubuntu-latest
     needs:
       - test
+    permissions:
+      statuses: read
     steps:
       - name: Note that all tests succeeded
         uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2

.github/workflows/cuda.yml

@@ -9,6 +9,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 jobs:
   test:
     # yamllint disable-line rule:line-length
@@ -30,6 +35,8 @@ jobs:
         SKBUILD_STRICT_CONFIG: true
       options: --gpus all
     timeout-minutes: 30
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -85,7 +92,10 @@ jobs:
   all-cuda-jobs-successful:
     if: always()
     runs-on: ubuntu-latest
-    needs: [test]
+    needs:
+      - test
+    permissions:
+      statuses: read
     steps:
       - name: Note that all tests succeeded
         uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2

.github/workflows/lock.yml

@@ -9,16 +9,21 @@ on:
   # allow manual triggering from GitHub UI
   workflow_dispatch:
 
-permissions:
-  issues: write
-  pull-requests: write
-
+# only 1 job running in the repo at any time
 concurrency:
   group: lock
 
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 jobs:
   action:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: dessant/lock-threads@7266a7ce5c1df01b1c6db85bf8cd86c737dadbe7  # v6.0.0
         with:

.github/workflows/lychee.yml

@@ -7,6 +7,15 @@ on:
   schedule:
     - cron: '0 8 * * *'
 
+# only 1 job running in the repo at any time
+concurrency:
+  group: lock
+
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 env:
   COMPILER: gcc
   OS_NAME: 'linux'
@@ -16,6 +25,8 @@ jobs:
   check-links:
     timeout-minutes: 60
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

.github/workflows/no_response.yml

@@ -1,19 +1,27 @@
 name: No Response Bot
 
-permissions:
-  issues: write
-  pull-requests: write
-
 on:
   issue_comment:
     types: [created]
   schedule:
     # "every day at 04:00 UTC"
     - cron: '0 4 * * *'
 
+# only 1 job running in the repo at any time
+concurrency:
+  group: lock
+
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 jobs:
-  noResponse:
+  no-response:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
     steps:
       - uses: lee-dohm/no-response@9bb0a4b5e6a45046f00353d5de7d90fb8bd773bb  # v0.5.0
         with:

.github/workflows/optional_checks.yml

@@ -5,12 +5,25 @@ on:
     branches:
       - master
 
+# automatically cancel in-progress builds if another commit is pushed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 jobs:
   all-optional-checks-successful:
     timeout-minutes: 30
     runs-on: ubuntu-latest
     env:
       GITHUB_TOKEN: ${{ github.token }}
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2

.github/workflows/python_package.yml

@@ -13,6 +13,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 env:
   # tell scripts where to put artifacts
   # (this variable name is left over from when jobs ran on Azure DevOps)
@@ -376,7 +381,8 @@ jobs:
     name: NuGet package
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    needs: [test]
+    needs:
+      - test
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -401,12 +407,12 @@ jobs:
             mono-devel
       - name: Create NuGet package
         run: |
-          python .ci/create-nuget.py "${{ env.BUILD_ARTIFACTSTAGINGDIRECTORY }}"
+          python .ci/create-nuget.py "${BUILD_ARTIFACTSTAGINGDIRECTORY}"
           nuget pack \
             $(pwd)/.ci/nuget/LightGBM.nuspec \
             -NonInteractive \
             -Verbosity detailed \
-            -OutputDirectory "${{ env.BUILD_ARTIFACTSTAGINGDIRECTORY }}"
+            -OutputDirectory "${BUILD_ARTIFACTSTAGINGDIRECTORY}"
       - name: Upload artifacts
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f  # v7.0.0
         with:
@@ -485,6 +491,8 @@ jobs:
       - test
       - test-linux-aarch64
       - test-old-versions
+    permissions:
+      statuses: read
     steps:
       - name: Note that all tests succeeded
         uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2

.github/workflows/r_configure.yml

@@ -8,27 +8,26 @@ on:
         description: |
           Branch in lightgbm-org/LightGBM to update.
 
+# automatically cancel in-progress builds if another commit is pushed
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
 permissions:
-  actions: none
-  checks: none
-  contents: write
-  deployments: none
-  discussions: none
-  id-token: write
-  issues: none
-  packages: none
-  pages: none
-  pull-requests: read
-  repository-projects: none
-  security-events: none
-  statuses: none
+  contents: none
 
 jobs:
   r-configure:
     name: r-configure
     timeout-minutes: 60
     runs-on: ubuntu-latest
     container: "ubuntu:22.04"
+    permissions:
+      contents: write
+      id-token: write
+      pull-requests: read
     steps:
       - name: Install essential software before checkout
         run: |

.github/workflows/r_package.yml

@@ -13,6 +13,11 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# default to 0 permissions
+# (job-level overrides add the minimal permissions needed)
+permissions:
+  contents: none
+
 env:
   # tell scripts where to put artifacts
   # (this variable name is left over from when jobs ran on Azure DevOps)
@@ -55,6 +60,8 @@ jobs:
     runs-on: ${{ matrix.os }}
     container: ${{ matrix.container }}
     timeout-minutes: 60
+    permissions:
+      contents: write
     strategy:
       fail-fast: false
       matrix:
@@ -221,6 +228,8 @@ jobs:
     timeout-minutes: 60
     runs-on: ubuntu-latest
     container: wch1/r-debug
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -256,6 +265,8 @@ jobs:
   test-r-extra-checks:
     name: r-package (${{ matrix.image }}, R-devel)
     timeout-minutes: 60
+    permissions:
+      contents: read
     strategy:
       fail-fast: false
       matrix:
@@ -361,7 +372,12 @@ jobs:
   all-r-package-jobs-successful:
     if: always()
     runs-on: ubuntu-latest
-    needs: [test, test-r-sanitizers, test-r-extra-checks]
+    needs:
+      - test
+      - test-r-sanitizers
+      - test-r-extra-checks
+    permissions:
+      statuses: read
     steps:
       - name: Note that all tests succeeded
         uses: re-actors/alls-green@05ac9388f0aebcb5727afa17fcccfecd6f8ec5fe  # v1.2.2