ci(security): harden security workflow — clear zizmor alerts #10 & #11

[WomB0ComB0]

Clears both open code-scanning alerts on .github/workflows/security.yml (zizmor 1.24.1), verified locally with zizmor --persona=auditor --no-online-audits → "No findings to report."

Alerts addressed

#	Rule	Sev	Fix
#11	secrets-inherit	warning	Replace secrets: inherit (forwards all repo secrets to the reusable workflow) with named forwarding of only SEMGREP_APP_TOKEN — the one token-consuming scanner enabled here.
#10	unpinned-uses	error	Already SHA-pinned in #30; carried forward. (Alert stays "open" only because the workflow startup-fails and never re-scans.)

Plus two latent findings the stale 2026-04-15 scan predates:

• excessive-permissions — workflow-level permissions dropped to {}; contents/security-events/pull-requests moved onto the scan job so they apply only to the reusable call.
• undocumented-permissions — every scope now has an explanatory comment.

Dependency

Requires resq-software/.github#21 (merged ✅), which declares SEMGREP_APP_TOKEN under workflow_call.secrets in the reusable workflow. This PR re-pins to that workflow's new SHA b48036af (#21).

Test plan

• CI green on this PR.
• After merge, the security workflow run actually starts (0-job startup_failure is the open question). Dropping secrets: inherit is the leading remaining hypothesis for that failure — this PR tests it.
• Confirm alerts chore(deps): bump the rust-minor-patch group with 3 updates #10 and chore(deps): bump solana-transaction from 3.1.0 to 4.0.0 #11 auto-resolve once a security scan completes.

Honest caveat

The earlier #30 SHA-pin did not fix the scheduled startup_failure (it persisted on the merged commit). The true startup error is only visible in the Actions web UI, not the API. This PR is the next most-likely fix; if the workflow still startup-fails after merge, the cause is elsewhere (org ruleset / repo Actions setting) and needs a look at the run page.

Summary by CodeRabbit

• Chores
  • Enhanced security scanning infrastructure by implementing least-privilege access controls and restricting permissions to only what's necessary.

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[coderabbitai]

Warning

Review limit reached

@WomB0ComB0, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 57 minutes and 9 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fa091c53-8dd1-4540-a111-a44b9862913e

📥 Commits

Reviewing files that changed from the base of the PR and between e5b38a7 and cbb79c7.

📒 Files selected for processing (1)

• .github/workflows/security.yml

📝 Walkthrough

Walkthrough

Updates .github/workflows/security.yml to enforce least-privilege access by declaring empty top-level permissions, explicitly scoping minimal permissions to the scan job, updating the reusable workflow SHA, and tightening secrets forwarding to pass only SEMGREP_APP_TOKEN instead of inheriting all secrets.

Changes

Security scan workflow hardening

Layer / File(s)	Summary
Workflow permissions, secrets, and SHA update .github/workflows/security.yml	Top-level permissions: {} is added; job-level scan.permissions grants only contents: read, security-events: write, and pull-requests: read; secrets: inherit is removed and replaced with explicit SEMGREP_APP_TOKEN forwarding; reusable workflow uses SHA is updated to a newer commit.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• resq-software/programs#30: Both PRs update the reusable security-scan.yml workflow invocation to a newer SHA-pinned commit in the same scan job.

Poem

🐰 A rabbit's security cheer,
Permissions tightened, secrets clear!
No inherit here, just what's required,
Access scoped and fires retired. 🔐✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main change: hardening the security workflow by removing overly permissive secret handling and clarifying permissions, which directly resolves the two zizmor alerts (#10 and #11) mentioned.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/harden-security-workflow

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}