Generate zizmor-compliant `release.yml` workflow files

[AlexWaygood]

We run zizmor in Ruff's CI (via pre-commit), which is a linter that checks GitHub workflow files for security issues:

• pre-commit config: https://github.com/astral-sh/ruff/blob/33a56f198b3653312f9adb4bc8be41aedce52fbc/.pre-commit-config.yaml#L92-L97
• zizmor config: https://github.com/astral-sh/ruff/blob/main/.github/zizmor.yml
• Zizmor docs: https://woodruffw.github.io/zizmor/

But the workflow file generated by dist doesn't pass zizmor, meaning we have to exclude it from the check (currently it's excluded from all pre-commit lints: https://github.com/astral-sh/ruff/blob/33a56f198b3653312f9adb4bc8be41aedce52fbc/.pre-commit-config.yaml#L3-L5). That feels sort-of ironic, since potential security issues are arguably more important in the release workflow than in any other workflow. It would be great if the workflow files generated by dist could be guaranteed to be zizmor-compliant out of the box, so that we didn't have to exclude them from the check in Ruff's CI

This isn't particularly high-priority, though -- more of a nice-to-have!

[Gankra]

artipacked

warning[artipacked]: credential persistence through GitHub Actions artifacts
  --> .github/workflows/release.yml:62:9
   |
62 |         - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
   |  _________-
63 | |         with:
64 | |           submodules: recursive
   | |_______________________________- does not set persist-credentials: false
   |
   = note: audit confidence → Low

excessive-permissions

error[excessive-permissions]: overly broad permissions
  --> .github/workflows/release.yml:18:3
   |
18 |   "contents": "write"
   |   ^^^^^^^^^^^^^^^^^^^ contents: write is overly broad at the workflow level
   |
   = note: audit confidence → High

template-injection

error[template-injection]: code injection via template expansion
  --> .github/workflows/release.yml:80:9
   |
80 |          - id: plan
   |  __________^
81 | |          run: |
   | | _________^
82 | ||           dist ${{ (inputs.tag && inputs.tag != 'dry-run' && format('host --steps=create --tag={0}', inputs.tag)) || 'plan' }} --out...
83 | ||           echo "dist ran successfully"
84 | ||           cat plan-dist-manifest.json
85 | ||           echo "manifest=$(jq -c "." plan-dist-manifest.json)" >> "$GITHUB_OUTPUT"
   | ||                                                                                  ^
   | ||__________________________________________________________________________________|
   |  |__________________________________________________________________________________this step
   |                                                                                     inputs.tag may expand into attacker-controllable code
   |
   = note: audit confidence → Low

info[template-injection]: code injection via template expansion
   --> .github/workflows/release.yml:140:9
    |
140 |          - id: cargo-dist
    |  __________-
141 | |          shell: bash
142 | |          run: |
    | | _________-
143 | ||           dist build ${{ needs.plan.outputs.tag-flag }} --output-format=json "--artifacts=global" > dist-manifest.json
...   ||
150 | ||
151 | ||           cp dist-manifest.json "$BUILD_MANIFEST_NAME"
    | ||                                                      -
    | ||______________________________________________________|
    |  |______________________________________________________info: this step
    |                                                         info: needs.plan.outputs.tag-flag may expand into attacker-controllable code
    |

info[template-injection]: code injection via template expansion
   --> .github/workflows/release.yml:191:9
    |
191 |          - id: host
    |  __________-
192 | |          shell: bash
193 | |          run: |
    | | _________-
194 | ||           dist host ${{ needs.plan.outputs.tag-flag }} --steps=upload --steps=release --output-format=json > dist-manifest.json
195 | ||           echo "artifacts uploaded and released successfully"
196 | ||           cat dist-manifest.json
197 | ||           echo "manifest=$(jq -c "." dist-manifest.json)" >> "$GITHUB_OUTPUT"
    | ||                                                                             -
    | ||_____________________________________________________________________________|
    |  |_____________________________________________________________________________info: this step
    |                                                                                info: needs.plan.outputs.tag-flag may expand into attacker-controllable code
    |
    = note: audit confidence → Low

info[template-injection]: code injection via template expansion
   --> .github/workflows/release.yml:263:9
    |
263 |   ... - name: Create GitHub Release
    |         --------------------------- info: this step
264 |   ...   env:
...
268 |   ...     RELEASE_COMMIT: "${{ github.sha }}"
269 | / ...   run: |
270 | | ...     # Write and read notes from a file to avoid quoting breaking things
271 | | ...     echo "$ANNOUNCEMENT_BODY" > $RUNNER_TEMP/notes.txt
272 | | ...
273 | | ...     gh release create "${{ needs.plan.outputs.tag }}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --title "$ANNOUNCEMENT_TITLE" --notes-file "$RUNNER_TEMP/notes.txt" artifacts/*
    | |_____________________________________________________________________________________________________________________________________________________________________________________- info: needs.plan.outputs.tag may expand into attacker-controllable code
    |
    = note: audit confidence → Low

secrets-inherit

warning[secrets-inherit]: secrets unconditionally inherited by called workflow
  --> .github/workflows/release.yml:96:5
   |
96 |     uses: ./.github/workflows/build-binaries.yml
   |     -------------------------------------------- this reusable workflow
97 |     with:
98 |       plan: ${{ needs.plan.outputs.val }}
99 |     secrets: inherit
   |     ---------------- inherits all parent secrets
   |
   = note: audit confidence → High

[Gankra]

All of these look probably-fine given the context that the values of concern happen only when a privileged user pushes a tag or uses the workflow_dispatch. That said fixing them would be good/nice, agreed.

• artipacked: this is a weird one and the most Real. context on persist-credentials, context on artipacked. I guess we should Just Do This? Assuming we weren't implicitly relying on it (I don't think so...).

• excessive-permissions: yeah it sure is. but it feeds into the next point.

• secrets-inherit: yeah so this one is kinda fundamental to trying to let users extend the workflow with arbitrary subjobs, many of which need high privileges. On several occasions I had to ratchet the privileges up to support astral's workflows! Fixing this would require a proper system for each custom-job to declare its permissions more strictly in the cargo-dist config (doable but tedious).

• all the template expansion complaints seem to amount to us using the privileged-to-specify git tag. So this is arguably a false-positive, although maybe we could escape/sanitize it still? It's too bad it doesn't recommend a solution.

[AlexWaygood]

all the template expansion complaints seem to amount to us using the privileged-to-specify git tag. So this is arguably a false-positive, although maybe we could escape/sanitize it still? It's too bad it doesn't recommend a solution.

Yeah these should be pretty easy to fix, I think — see e.g. astral-sh/ruff@fa9ce6a for an example of how to fix (and conversation following astral-sh/ruff#16857 (comment) for why it fixes things)