DO-1802: Add Yamllinting, actionlinting and zizmor static analysis

.github/actionlint.yml

@@ -0,0 +1,6 @@
+paths:
+  # CST_REPORTING_TOKEN is an org-level secret — not declared in the workflow
+  # but valid at runtime. actionlint cannot see org-level secrets.
+  ".github/workflows/magento-cloud-deploy.yml":
+    ignore:
+      - 'property "cst_reporting_token" is not defined'

.github/actions/command-exists/action.yml

@@ -23,7 +23,7 @@ runs:
     - id: check-script
       shell: bash
       run: |
-        cmd="${{ inputs.command }}"
+        cmd="${INPUTS_COMMAND}"
 
         # Check root package.json scripts
         if jq -e --arg cmd "$cmd" '.scripts[$cmd]' package.json > /dev/null 2>&1; then
@@ -58,7 +58,8 @@ runs:
         if [ -f "pnpm-workspace.yaml" ]; then
           # Extract package paths from YAML list items, stripping optional quotes
           # Matches: "  - packages/*", "  - 'apps/*'", '  - "libs/*"' -> packages/*, apps/*, libs/*
-          pnpm_packages=$(grep -E '^\s*-\s+' pnpm-workspace.yaml | sed "s/.*-\s*['\"]\\{0,1\\}\([^'\"]*\\)['\"]\\{0,1\\}/\1/" 2>/dev/null)
+          pnpm_packages=$(grep -E '^\s*-\s+' pnpm-workspace.yaml \
+            | sed "s/.*-\s*['\"]\\{0,1\\}\([^'\"]*\\)['\"]\\{0,1\\}/\1/" 2>/dev/null)
           for pattern in $pnpm_packages; do
             for pkg_dir in $pattern; do
               if [ -f "$pkg_dir/package.json" ]; then
@@ -72,11 +73,13 @@ runs:
         fi
 
         echo "exists=false" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}
 
     - id: check-nx
       shell: bash
       run: |
-        cmd="${{ inputs.command }}"
+        cmd="${INPUTS_COMMAND}"
 
         # Check Nx targets if this is an Nx workspace
         if [ -f "nx.json" ]; then
@@ -86,4 +89,6 @@ runs:
           fi
         fi
 
-        echo "exists=false" >> $GITHUB_OUTPUT
+        echo "exists=false" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_COMMAND: ${{ inputs.command }}

.github/actions/run-checks/action.yml

@@ -17,15 +17,15 @@ runs:
   using: composite
   steps:
     - id: add-matchers
-      uses: aligent/workflows/.github/actions/node-problem-matchers@main
+      uses: aligent/workflows/.github/actions/node-problem-matchers@main # zizmor: ignore[unpinned-uses] trusted source
     - id: run
       shell: bash
       run: |
         debug=${{ inputs.debug == 'true' && '--verbose' || '' }}
-        pm=${{ inputs.package-manager }}
+        pm=${INPUTS_PACKAGE_MANAGER}
 
         # Parse JSON array of commands
-        readarray -t commands < <(echo '${{ inputs.commands }}' | jq -r '.[]')
+        readarray -t commands < <(echo '${INPUTS_COMMANDS}' | jq -r '.[]')
 
         if [ ${#commands[@]} -gt 0 ]; then
           # Build the full command strings
@@ -39,8 +39,11 @@ runs:
         else
           echo "No commands to run"
         fi
+      env:
+        INPUTS_PACKAGE_MANAGER: ${{ inputs.package-manager }}
+        INPUTS_COMMANDS: ${{ inputs.commands }}
     - id: remove-matchers
       if: always()
-      uses: aligent/workflows/.github/actions/node-problem-matchers@main
+      uses: aligent/workflows/.github/actions/node-problem-matchers@main # zizmor: ignore[unpinned-uses] trusted source
       with:
         action: remove

.github/dependabot.yml

@@ -4,3 +4,5 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 7

.github/workflows/aem-sync-to-cloudmanager-repo.yml

@@ -96,7 +96,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Cache Maven packages
         if: ${{ !env.ACT }}  # Skip when running with act locally
@@ -131,7 +133,9 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Cache Maven packages
         if: ${{ !env.ACT }}  # Skip when running with act locally
@@ -165,9 +169,10 @@ jobs:
 
     steps:
       - name: Checkout code with full history
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |
@@ -193,11 +198,11 @@ jobs:
 
           # Determine branch name
           if [ -n "$REMOTE_BRANCH" ]; then
-            BRANCH="${{ github.ref_name }}:${REMOTE_BRANCH}"
-            echo "📋 Pushing '${{ github.ref_name }}' to Cloud Manager branch '${REMOTE_BRANCH}'"
+            BRANCH="${GITHUB_REF_NAME}:${REMOTE_BRANCH}"
+            echo "📋 Pushing '${GITHUB_REF_NAME}' to Cloud Manager branch '${REMOTE_BRANCH}'"
           else
-            BRANCH="${{ github.ref_name }}"
-            echo "📋 Pushing '${{ github.ref_name }}' to Cloud Manager"
+            BRANCH="${GITHUB_REF_NAME}"
+            echo "📋 Pushing '${GITHUB_REF_NAME}' to Cloud Manager"
           fi
 
           # Push to Cloud Manager
@@ -215,16 +220,16 @@ jobs:
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY
           echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
-          echo "| **Source Branch** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Source Branch** | ${GITHUB_REF_NAME} |" >> $GITHUB_STEP_SUMMARY
 
           if [ -n "$REMOTE_BRANCH" ]; then
             echo "| **Target Branch** | ${REMOTE_BRANCH} |" >> $GITHUB_STEP_SUMMARY
           else
-            echo "| **Target Branch** | ${{ github.ref_name }} |" >> $GITHUB_STEP_SUMMARY
+            echo "| **Target Branch** | ${GITHUB_REF_NAME} |" >> $GITHUB_STEP_SUMMARY
           fi
 
           echo "| **Git Commit** | ${{ github.sha }} |" >> $GITHUB_STEP_SUMMARY
-          echo "| **Triggered By** | ${{ github.actor }} |" >> $GITHUB_STEP_SUMMARY
+          echo "| **Triggered By** | ${GITHUB_ACTOR} |" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "### ✅ Sync Complete" >> $GITHUB_STEP_SUMMARY
           echo "Your AEM project has been successfully synced to Cloud Manager." >> $GITHUB_STEP_SUMMARY

.github/workflows/aws-cdk.yml

@@ -122,9 +122,10 @@ jobs:
       role-session-name: ${{ steps.resolve-session-name.outputs.role-session-name }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           lfs: ${{ inputs.lfs }}
+          persist-credentials: false
 
       - name: Detect Node.js version
         id: node-version
@@ -184,10 +185,14 @@ jobs:
         uses: actions/setup-node@v6
         with:
           node-version: ${{ steps.node-version.outputs.version }}
+          # yamllint disable rule:line-length
           cache: ${{ steps.detect-package-manager.outputs.manager == 'yarn-berry' && 'yarn' || (steps.detect-package-manager.outputs.manager == 'yarn-classic' && 'yarn' || steps.detect-package-manager.outputs.manager) }}
+          # yamllint enable rule:line-length
 
       - name: Install safe-chain
-        run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
+        run: |
+          SAFE_CHAIN_URL="https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh"
+          curl -fsSL "$SAFE_CHAIN_URL" | sh -s -- --ci
 
       - name: Install dependencies
         env:
@@ -329,7 +334,9 @@ jobs:
           fi
 
           # Validate that at least one of synth, diff or deploy is true
-          if [ "$INPUT_SYNTH" != "true" ] && [ "$INPUT_DIFF" != "true" ] && [ "$INPUT_DEPLOY" != "true" ]; then
+          if [ "$INPUT_SYNTH" != "true" ] && \
+             [ "$INPUT_DIFF" != "true" ] && \
+             [ "$INPUT_DEPLOY" != "true" ]; then
             echo "❌ Error: At least one of synth, diff, or deploy must be true"
             exit 1
           fi
@@ -411,9 +418,10 @@ jobs:
       deployment-status: ${{ steps.deploy.outputs.status }}
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
         with:
           lfs: ${{ inputs.lfs }}
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -447,7 +455,7 @@ jobs:
 
       - name: Configure AWS credentials (Static)
         if: needs.prepare.outputs.auth-mode == 'static'
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
         with:
           aws-access-key-id: ${{ vars.AWS_ACCESS_KEY_ID }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
@@ -456,7 +464,7 @@ jobs:
 
       - name: Configure AWS credentials (OIDC)
         if: needs.prepare.outputs.auth-mode == 'oidc'
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@8df5847569e6427dd6c4fb1cf565c83acfa8afa7
         with:
           role-to-assume: ${{ vars.AWS_ROLE_ARN }}
           role-session-name: ${{ needs.prepare.outputs.role-session-name }}
@@ -470,6 +478,7 @@ jobs:
           CFN_EXECUTION_ROLE: ${{ secrets.CFN_EXECUTION_ROLE }}
           AWS_REGION: ${{ inputs.aws-region }}
           EXTRA_ARGUMENTS: ${{ inputs.extra-arguments }}
+          CDK_BOOTSTRAP_CMD: ${{ needs.prepare.outputs.cdk-bootstrap-cmd }}
         run: |
           echo "🥾 Bootstrapping CDK environment..."
 
@@ -478,6 +487,8 @@ jobs:
             verbose="--verbose"
           fi
 
+          BOOTSTRAP_CMD="${CDK_BOOTSTRAP_CMD}"
+
           # Check if using custom command from config or default
           if [ "$BOOTSTRAP_CMD" = "npx cdk bootstrap" ]; then
             # Default command - add AWS-specific arguments
@@ -487,7 +498,7 @@ jobs:
             fi
 
             $BOOTSTRAP_CMD \
-              aws://$(aws sts get-caller-identity --query Account --output text)/$AWS_REGION \
+              aws://$(aws sts get-caller-identity --query Account --output text)/${AWS_REGION} \
               $role_args \
               $verbose
           else

.github/workflows/changeset-check.yml

@@ -50,7 +50,9 @@ jobs:
       pull-requests: write
     steps:
       - name: Checkout Repository
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
         uses: actions/setup-node@v6
@@ -74,28 +76,30 @@ jobs:
       - name: Run pre-install commands
         if: inputs.pre-install-commands != ''
         run: |
-          echo "${{ inputs.pre-install-commands }}" | while IFS= read -r cmd; do
+          echo "${INPUTS_PRE_INSTALL_COMMANDS}" | while IFS= read -r cmd; do
             if [ -n "$cmd" ]; then
               echo "Running: $cmd"
               eval "$cmd"
             fi
           done
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          INPUTS_PRE_INSTALL_COMMANDS: ${{ inputs.pre-install-commands }}
 
       - name: Install dependencies
         run: |
           debug=${{ inputs.debug && '--verbose' || '' }}
-          if [ "${{ inputs.package-manager }}" = "yarn" ]; then
+          if [ "${INPUTS_PACKAGE_MANAGER}" = "yarn" ]; then
             lock_flag=${{ inputs.is-yarn-classic && '--frozen-lockfile' || '--immutable' }}
             yarn install $lock_flag $debug
-          elif [ "${{ inputs.package-manager }}" = "pnpm" ]; then
+          elif [ "${INPUTS_PACKAGE_MANAGER}" = "pnpm" ]; then
             pnpm install --frozen-lockfile $debug
           else
             npm ci $debug
           fi
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          INPUTS_PACKAGE_MANAGER: ${{ inputs.package-manager }}
 
       - name: Get Changed Files
         id: changed-files
@@ -115,10 +119,12 @@ jobs:
         id: changeset-check
         env:
           CHANGED_FILES: ${{ steps.changed-files.outputs.result }}
+          INPUTS_PACKAGES_PATH: ${{ inputs.packages-path }}
+          INPUTS_PACKAGE_MANAGER: ${{ inputs.package-manager }}
         run: |
           set +e
 
-          PACKAGES_PATH="${{ inputs.packages-path }}"
+          PACKAGES_PATH="${INPUTS_PACKAGES_PATH}"
           PACKAGES_PREFIX="${PACKAGES_PATH%/}"
 
           # Get changed directories under the packages path using GitHub API results
@@ -167,14 +173,16 @@ jobs:
           fi
 
           # Check changeset status for detailed coverage
-          CHANGESET_STATUS=$(${{ inputs.package-manager }} changeset status --output=json 2>/dev/null)
+          CHANGESET_STATUS=$(${INPUTS_PACKAGE_MANAGER} changeset status --output=json 2>/dev/null)
           CHANGESET_EXIT_CODE=$?
 
           if [ $CHANGESET_EXIT_CODE -ne 0 ]; then
             echo "needs_changeset=true" >> $GITHUB_OUTPUT
             echo "Affected packages found but no changesets detected"
           else
-            PACKAGES_WITH_CHANGESETS=$(echo "$CHANGESET_STATUS" | jq -r '.releases[] | select(.changesets | length > 0) | .name' 2>/dev/null || echo "")
+            JQ_FILTER='.releases[] | select(.changesets | length > 0) | .name'
+            PACKAGES_WITH_CHANGESETS=$(echo "$CHANGESET_STATUS" \
+              | jq -r "$JQ_FILTER" 2>/dev/null || echo "")
 
             ALL_COVERED=true
             for pkg in $PUBLISHABLE_AFFECTED; do
@@ -196,12 +204,16 @@ jobs:
       - name: Comment on PR if no changeset
         if: steps.changeset-check.outputs.needs_changeset == 'true'
         uses: actions/github-script@v8
+        env:
+          COMMENT_HEADER: ${{ inputs.comment-header }}
+          CHANGESET_COMMAND: ${{ inputs.changeset-command }}
+          STATUS_COMMAND: ${{ inputs.changeset-status-command }}
         with:
-          script: |
+          script: | # zizmor: ignore[template-injection] - affected_packages is a trusted input source  
             const { owner, repo, number } = context.issue;
-            const commentHeader = `${{ inputs.comment-header }}`;
-            const changesetCmd = `${{ inputs.changeset-command }}`;
-            const statusCmd = `${{ inputs.changeset-status-command }}`;
+            const commentHeader = process.env.COMMENT_HEADER;
+            const changesetCmd = process.env.CHANGESET_COMMAND;
+            const statusCmd = process.env.STATUS_COMMAND;
 
             const comments = await github.rest.issues.listComments({
               owner, repo, issue_number: number,
@@ -253,7 +265,8 @@ jobs:
               `${changesetCmd} --empty`,
               '```',
               '',
-              `**Tip:** When running \`${changesetCmd}\`, select only the packages listed above that you actually changed the public API of.`,
+              `**Tip:** When running \`${changesetCmd}\`, select only the packages ` +
+              `listed above that you actually changed the public API of.`,
               '',
               '</details>'
             ].join('\n');
@@ -271,10 +284,12 @@ jobs:
       - name: Remove changeset comment if changeset exists
         if: steps.changeset-check.outputs.needs_changeset == 'false'
         uses: actions/github-script@v8
+        env:
+          COMMENT_HEADER: ${{ inputs.comment-header }}
         with:
           script: |
             const { owner, repo, number } = context.issue;
-            const commentHeader = `${{ inputs.comment-header }}`;
+            const commentHeader = process.env.COMMENT_HEADER;
 
             const comments = await github.rest.issues.listComments({
               owner, repo, issue_number: number,