Add workflow authoring standards, actionlint/zizmor gate, and CONTRIB…

[ms280690]

…UTING guide

• Add .pre-commit-config.yaml with actionlint (v1.7.12) and zizmor (v1.25.2) hooks
• Add .github/workflows/workflow-lint.yml — CI gate running actionlint via reviewdog and zizmor with SARIF upload to GitHub Security tab; triggers on PRs touching any workflow or action YAML file
• Add CONTRIBUTING.md with workflow authoring checklist, SHA pinning instructions, and security pillars reference table
• Pin and upgrade action refs in terramate-opentofu-setup/action.yml: opentofu/setup-opentofu v1.0.6 → v2.0.1 (SHA pinned) terramate-io/terramate-action v3.0.0 (SHA pinned)

Closes #25

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[ms280690]

Code Review

Strengths

• Consistent SHA pinning — all uses: references are pinned to full 40-char SHAs with version comments. Sets a strong precedent.
• persist-credentials: false — correctly applied to both checkout steps.
• permissions: scoped appropriately — workflow-level contents: read, with job-level overrides for pull-requests: write (actionlint) and security-events: write (zizmor). Principle of least privilege followed.
• SARIF upload with if: always() — ensures results are uploaded even when zizmor exits non-zero (findings present), which is the correct behaviour.
• CONTRIBUTING.md is well-structured — the checklist is actionable and the SHA-pinning lookup command is a nice touch.

---

Issues

1. run: steps in workflow-lint.yml lack shell: bash

- name: Install zizmor
  run: pip install zizmor==1.25.2

- name: Run zizmor
  run: zizmor --format sarif . > zizmor-results.sarif

The CONTRIBUTING checklist explicitly requires shell: bash on all run: steps — these two steps in the new workflow don't follow the rule the PR itself is introducing. Both need shell: bash.

---

2. zizmor installed via pip install without hash pinning

run: pip install zizmor==1.25.2

Version is pinned, but PyPI packages can be replaced after the fact. For a workflow whose purpose is supply-chain hardening, this is an ironic gap. Consider either:

• pip install --require-hashes with a requirements file containing the expected hash, or
• Using the woodruffw/zizmor-pre-commit action directly in CI (already referenced in .pre-commit-config.yaml) instead of installing via pip.

---

3. workflow_call trigger — reporter: github-pr-review won't work in that context

reporter: github-pr-review silently does nothing when the workflow is called via workflow_call (no PR context). Consider switching to reporter: github-check, which works in both PR and workflow_call contexts.

---

4. workflow_call has no inputs/outputs defined

workflow_call with no inputs: block is valid, but callers have no way to know what the workflow accepts. If this is intentionally zero-input, a brief header comment would prevent confusion.

---

5. CONTRIBUTING.md hardcodes ms280690 as assignee

2. Assign to `ms280690`, type: Feature, ...

This embeds a personal username in org-wide guidance. If ownership changes this silently becomes stale. Consider replacing with a team handle (e.g., @sparkgeo/platform) or removing the specific assignee.

---

6. Renovate reference may mislead

Renovate (issue #8) is configured to keep pinned SHAs current automatically...

This implies Renovate is already active. If issue #8 is still open/pending, contributors may skip manual SHA updates expecting Renovate to handle it. Worth adding "once configured" or noting the current status.

---

Priority before merging

• (1) Add shell: bash to the two run: steps — the PR's own checklist requires it.
• (2) Address the pip hash-pinning gap — directly contradicts the supply-chain hardening goal.

Items 3–6 are lower priority but worth addressing for long-term maintainability.

[Copilot]

Pull request overview

Adds repo-level standards and automated enforcement for safer GitHub Actions workflow/composite-action authoring, aligning with Issue #25 by introducing local pre-commit linting plus a CI “workflow lint” gate, and by tightening action supply-chain security via SHA pinning.

Changes:

• Added CONTRIBUTING.md documenting workflow authoring/security standards and local setup.
• Added .pre-commit-config.yaml with actionlint and zizmor hooks for local enforcement.
• Added .github/workflows/workflow-lint.yml CI gate to run actionlint (via reviewdog) and zizmor (with SARIF upload), and pinned action references in an existing composite action.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
CONTRIBUTING.md	Documents workflow authoring checklist, SHA pinning guidance, and security reference table.
.pre-commit-config.yaml	Adds local actionlint + zizmor pre-commit hooks pinned to specific revisions.
.github/workflows/workflow-lint.yml	Introduces CI lint gate for workflow/action YAML changes, including SARIF upload.
.github/actions/terramate-opentofu-setup/action.yml	Pins action dependencies to commit SHAs for supply-chain hardening.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.