Summary

Adds zizmor as a GitHub Actions security scanner and fixes the issues it flagged. All fixes are low-risk, zero-cost improvements to CI hygiene.

Template injection (deprecate.yml, release-branch.yml)

Routes ${{ github.event.inputs.* }} through env: blocks instead of interpolating directly in run: shells. Both workflows are maintainer-only (workflow_dispatch), so the practical risk was minimal, but the fix is trivial and eliminates the code smell entirely. See zizmor's template-injection docs.

Credential persistence (all workflows)

Sets persist-credentials: false on every actions/checkout step. Risk here was also low, but there's no reason to leave credentials around when no workflow needs them for post-checkout git operations. update-sponsor-block.yml uses peter-evans/create-pull-request@v8, which manages its own credentials and does not depend on checkout's. See zizmor's artipacked docs.

Continuous scanning (zizmor.yml)

New workflow runs zizmor on pushes to v1.x and on PRs, uploading SARIF results to GitHub code scanning.

Exceptions

Two One zizmor rules are is disabled in .github/zizmor.yml since fixing them it here would add noise:

• unpinned-uses: covered separately by chore(ci): pin GitHub Actions to commit SHAs #10615; exception can be removed once that merges Removed — addressed by ci: pin versions of actions and review to be certain these are correct #10627.
• excessive-permissions: narrowing permissions to job level requires auditing each job individually; planned as a follow-up

Summary by cubic

Adds zizmor GitHub Actions security scanning and hardens CI by removing template-injection vectors and disabling checkout credential persistence. No changes to build or release behavior.

Description

• Summary of changes

  • Added .github/workflows/zizmor.yml to run zizmor on pushes to v1.x and on all PRs, uploading SARIF with job-level security-events: write and workflow permissions: {}.
  • Added .github/zizmor.yml with excessive-permissions temporarily disabled.
  • Routed ${{ github.event.inputs.* }} through env in release-branch.yml to prevent shell template injection.
  • Set persist-credentials: false on all actions/checkout steps across workflows.
  • In publish.yml, replaced cache: npm with package-manager-cache: false to avoid unused cache config.

• Reasoning

  • Prevent template injection in run: shells.
  • Reduce token exposure by not persisting checkout credentials.

• Additional context

  • update-sponsor-block.yml uses peter-evans/create-pull-request, which manages its own credentials.
  • We'll re-enable the excessive-permissions rule after a permissions audit.

Docs

• zizmor findings appear under Security > Code scanning alerts.
• The scanner runs on PRs and on pushes to v1.x.

Testing

• No application tests; CI-only changes.
• Verified by running workflows via this PR; workflow_dispatch inputs in release-branch.yml now flow through env.
• No additional tests needed.

^{Written for commit 18d24a2. Summary will update on new commits.}