From 4fcf765d7f700194392aee59d4d26f1314088367 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 17:45:05 -0800
Subject: [PATCH 1/5] Add zizmor and frizbee CI checks

Add caller workflows for zizmor (security scanning) and frizbee
(action pinning verification). Fix zizmor findings where applicable
and add suppression config for intentional patterns.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/frizbee.yml | 16 ++++++++++++
 .github/workflows/release.yml |  4 ++-
 .github/workflows/zizmor.yml  | 16 ++++++++++++
 .github/zizmor.yml            | 48 +++++++++++++++++++++++++++++++++++
 4 files changed, 83 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/frizbee.yml
 create mode 100644 .github/workflows/zizmor.yml
 create mode 100644 .github/zizmor.yml

diff --git a/.github/workflows/frizbee.yml b/.github/workflows/frizbee.yml
new file mode 100644
index 000000000..642f692d3
--- /dev/null
+++ b/.github/workflows/frizbee.yml
@@ -0,0 +1,16 @@
+name: Frizbee pinning check
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  frizbee:
+    uses: smallstep/workflows/.github/workflows/frizbee.yml@main
+    secrets: inherit
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index fa727795f..e47f733dc 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,9 +31,11 @@ jobs:
     steps:
       - name: Is Pre-release
         id: is_prerelease
+        env:
+          REF: ${{ github.ref }}
         run: |
           set +e
-          echo ${{ github.ref }} | grep "\-rc.*"
+          echo "${REF}" | grep "\-rc.*"
           OUT=$?
           if [ $OUT -eq 0 ]; then IS_PRERELEASE=true; else IS_PRERELEASE=false; fi
           echo "IS_PRERELEASE=${IS_PRERELEASE}" >> "${GITHUB_OUTPUT}"
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
new file mode 100644
index 000000000..3270953b8
--- /dev/null
+++ b/.github/workflows/zizmor.yml
@@ -0,0 +1,16 @@
+name: Zizmor security scan
+on:
+  push:
+  workflow_call:
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    uses: smallstep/workflows/.github/workflows/zizmor.yml@main
+    secrets: inherit
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
new file mode 100644
index 000000000..14438f07c
--- /dev/null
+++ b/.github/zizmor.yml
@@ -0,0 +1,48 @@
+rules:
+  # Internal reusable workflows (smallstep/*@main) intentionally track
+  # the main branch for centralized CI management. Pinning to a SHA
+  # would defeat the purpose of the shared workflows repo.
+  unpinned-uses:
+    ignore:
+      - actionlint.yml:16
+      - ci.yml:25
+      - code-scan-cron.yml:13
+      - dependabot-auto-merge.yml:10
+      - frizbee.yml:15
+      - release.yml:15
+      - release.yml:73
+      - release.yml:85
+      - release.yml:99
+      - triage.yml:19
+      - zizmor.yml:15
+  # Reusable workflow callers require `secrets: inherit` to pass
+  # credentials needed by the shared workflows (e.g. SSH keys, PATs).
+  secrets-inherit:
+    ignore:
+      - actionlint.yml:16
+      - ci.yml:25
+      - code-scan-cron.yml:13
+      - dependabot-auto-merge.yml:10
+      - frizbee.yml:15
+      - release.yml:15
+      - release.yml:73
+      - release.yml:85
+      - release.yml:99
+      - triage.yml:19
+      - zizmor.yml:15
+  # These workflows either lack a top-level `permissions:` block
+  # (using GitHub defaults) or delegate to reusable workflows that
+  # declare their own minimal permissions internally.
+  excessive-permissions:
+    ignore:
+      - release.yml:1
+      - release.yml:18
+      - release.yml:109
+  # The triage workflow uses `pull_request_target` to label PRs
+  # from forks. This is safe because the called reusable workflow
+  # does not checkout or execute code from the PR.
+  dangerous-triggers:
+    ignore:
+      - triage.yml:3
+
+

From 6743081a15b5911672d4cfb454dd70ca301c2ddd Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 17:55:13 -0800
Subject: [PATCH 2/5] Add explicit permissions blocks, remove
 excessive-permissions ignores

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 7 +++++++
 .github/zizmor.yml            | 8 --------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e47f733dc..8fac4f701 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,6 +6,9 @@ on:
     tags:
     - 'v*' # Push events to matching v*, i.e. v1.0, v20.15.10
 
+permissions:
+  contents: write
+
 jobs:
   ci:
     permissions:
@@ -17,6 +20,8 @@ jobs:
 
   create_release:
     name: Create Release
+    permissions:
+      contents: write
     needs: ci
     runs-on: ubuntu-latest
     env:
@@ -108,6 +113,8 @@ jobs:
 
   update_reference_docs:
     name: Update Reference Docs
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     needs: create_release
     if: needs.create_release.outputs.is_prerelease == 'false'
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index 14438f07c..d1cfa96b1 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -30,14 +30,6 @@ rules:
       - release.yml:99
       - triage.yml:19
       - zizmor.yml:15
-  # These workflows either lack a top-level `permissions:` block
-  # (using GitHub defaults) or delegate to reusable workflows that
-  # declare their own minimal permissions internally.
-  excessive-permissions:
-    ignore:
-      - release.yml:1
-      - release.yml:18
-      - release.yml:109
   # The triage workflow uses `pull_request_target` to label PRs
   # from forks. This is safe because the called reusable workflow
   # does not checkout or execute code from the PR.

From 284878bea45846ea7807d8c7d9351a5517452202 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 18:02:34 -0800
Subject: [PATCH 3/5] Replace zizmor line-number ignores with policies

Use unpinned-uses config.policies with org-level wildcard and
secrets-inherit disable instead of brittle per-line ignores that
break whenever workflow files change.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/zizmor.yml | 40 +++++-----------------------------------
 1 file changed, 5 insertions(+), 35 deletions(-)

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index d1cfa96b1..b8ff0715f 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -1,40 +1,10 @@
 rules:
-  # Internal reusable workflows (smallstep/*@main) intentionally track
-  # the main branch for centralized CI management. Pinning to a SHA
-  # would defeat the purpose of the shared workflows repo.
   unpinned-uses:
-    ignore:
-      - actionlint.yml:16
-      - ci.yml:25
-      - code-scan-cron.yml:13
-      - dependabot-auto-merge.yml:10
-      - frizbee.yml:15
-      - release.yml:15
-      - release.yml:73
-      - release.yml:85
-      - release.yml:99
-      - triage.yml:19
-      - zizmor.yml:15
-  # Reusable workflow callers require `secrets: inherit` to pass
-  # credentials needed by the shared workflows (e.g. SSH keys, PATs).
+    config:
+      policies:
+        "smallstep/*": ref-pin
   secrets-inherit:
-    ignore:
-      - actionlint.yml:16
-      - ci.yml:25
-      - code-scan-cron.yml:13
-      - dependabot-auto-merge.yml:10
-      - frizbee.yml:15
-      - release.yml:15
-      - release.yml:73
-      - release.yml:85
-      - release.yml:99
-      - triage.yml:19
-      - zizmor.yml:15
-  # The triage workflow uses `pull_request_target` to label PRs
-  # from forks. This is safe because the called reusable workflow
-  # does not checkout or execute code from the PR.
+    disable: true
   dangerous-triggers:
     ignore:
-      - triage.yml:3
-
-
+      - triage.yml

From c5bd8ff732ca8c2208a77520e77a9f08e902341c Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 18:28:53 -0800
Subject: [PATCH 4/5] Disable ref-confusion audit

The ref-confusion audit crashes when workflows reference private
repos (e.g. internal-workflows, robot) because the GITHUB_TOKEN
lacks cross-repo access. Disable until zizmor supports scoping
this audit or we provide a broader token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/zizmor.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/zizmor.yml b/.github/zizmor.yml
index b8ff0715f..92a614677 100644
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -5,6 +5,8 @@ rules:
         "smallstep/*": ref-pin
   secrets-inherit:
     disable: true
+  ref-confusion:
+    disable: true
   dangerous-triggers:
     ignore:
       - triage.yml

From e8e7c785cfade94114c070a7264ea3ce3cd8a75a Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Mon, 2 Mar 2026 18:43:03 -0800
Subject: [PATCH 5/5] Add security-events: write to zizmor caller workflow

The caller workflow's permissions are the ceiling for reusable
workflows. The zizmor-action needs security-events: write to
upload SARIF results to GitHub Advanced Security.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/zizmor.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
index 3270953b8..0057146c4 100644
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@@ -9,6 +9,7 @@ concurrency:
 
 permissions:
   contents: read
+  security-events: write
 
 jobs:
   zizmor: