ci: add zizmor for linting gha workflows

[vitorfloriano]

This PR adds Zizmor to CI.

In short, Zizmor is a Static Analysis Tool that scans GitHub Actions workflows to detect security issues like unpinned version usage, excessive permissions and many other issues.

It will help us ensure existent and added workflows adhere to security best practices, including Kubernetes new GitHub Actions Security Policy.

About the chosen config:

• We set advanced-security: false to disable uploading results to GitHub's Advanced Security tab but instead print to the console and fail the run on CI if issues are found. See: https://github.com/zizmorcore/zizmor-action#advanced-security
• We set min-confidence: medium to ignore findings that are merely informational due to low confidence of the audit, just so they don't fail the run. See: https://github.com/zizmorcore/zizmor-action#min-confidence

Blocked by #200

[netlify]

✅ Deploy Preview for node-readiness-controller canceled.

Name	Link
🔨 Latest commit	a17c084
🔍 Latest deploy log	https://app.netlify.com/projects/node-readiness-controller/deploys/6a02218c93486a0009d90596

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: vitorfloriano
Once this PR has been reviewed and has the lgtm label, please assign sergeykanzhelev for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ajaysundark]

/cc @Priyankasaggu11929

Could you help take a look at this? Thanks!

[ajaysundark]

could this be restricted to .github/workflows/** instead?

[vitorfloriano]

Yeah, **/workflows/ works best for monorepos, but that's not the case here. I'll change that.

[ajaysundark]

I think we could prefer path filter to be .github/workflows/**/*.{yml, yaml}

[vitorfloriano]

I think GitHub Actions only recognizes the files directly under workflows/ (without additional nesting), so I believe it should be like this:

Suggested change

	- '**/workflows/*.yml'
	- '.github/workflows/*.{yml,yaml}'

See: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#about-yaml-syntax-for-workflows

You must store workflow files in the .github/workflows directory of your repository.

I'll update based on that.

[ajaysundark]

/assign @vitorfloriano

[vitorfloriano]

Hm...the workflow linter did not run after the latest change. Need to investigate.

/hold

[vitorfloriano]

@ajaysundark Apparently, *.{yml, yaml} isn't valid syntax in workflows, so we'll need to be a bit redundant explicit here.

See: https://docs.github.com/en/actions/reference/workflows-and-actions/workflow-syntax#filter-pattern-cheat-sheet

[Priyankasaggu11929]

Folks, just a thought - rather than introducing more new tools to ensure our GH actions are safe, could we try moving our existing GitHub Action workflows to Prow (I can help guide here)?

[Priyankasaggu11929]

Folks, just a thought - rather than introducing more new tools to ensure our GH actions are safe, could we try moving our existing GitHub Action workflows to Prow (I can help guide here)?

Hello @vitorfloriano, following up from our discussion from yesterday's call.

For learning about Prow/Prowjobs, here are some resources:

• prow job docs - https://docs.prow.k8s.io/docs/jobs/
• and this talk - https://www.youtube.com/watch?v=gKKfXTZd7VU

---

We already have a directory setup for defining Prow jobs for the Node Readiness Controller (NRC) repo here - https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes-sigs/node-readiness-controller

This is the PR that added the first (presubmit) job for the NRC project - kubernetes/test-infra#36261.
The review comments might be helpful.

---

And for some guidance/reference on migrating our existing NRC GH action worfklow jobs, we can maybe look at the prow jobs definition for NPD project - https://github.com/kubernetes/test-infra/tree/master/config/jobs/kubernetes/node-problem-detector

We can start by migrating one of the GH jobs to Prow.
Please feel free to start a draft PR and use that for any queries/doubts, I can help. Thanks!

[vitorfloriano]

We can start by migrating one of the GH jobs to Prow.
Please feel free to start a draft PR and use that for any queries/doubts, I can help. Thanks!

@Priyankasaggu11929 I drafted kubernetes/test-infra#37035.

I decided to start with migrating the test workflow because it seems to be the easiest.

Also, I think that migrating the release workflow would enter the scope of the upcoming mentorship project (see #151), so I'll leave it for now.

Considering we are moving towards a Prow-centered CI, I'll close this PR.

We can continue the conversation on the prowjob PR and in future meetings.

Thanks for the guidance!