Add `zizmor` to all RAPIDS projects and address all warnings

[gforsyth]

Recent security scans turned up a few potential security holes in our CI configuration -- while most of them were likely not actually exploitable, it doesn't hurt to tighten things up.

We should have zizmor installed as a pre-commit hook on all the RAPIDS repos, so that changes to workflows get audited by the linter (before a human gets to them).

Some general configuration:

In .github/zizmor.yml, we add the following:

rules:
  unpinned-uses:
    config:
      policies:
        # We require SHA-pinning for all workflows and actions _except_ for those from
        # rapidsai/shared-workflows and rapidsai/shared-actions
        "rapidsai/shared-workflows/*": any
        "rapidsai/shared-actions/*": any
        "*": hash-pin

Which, as noted in the comment, disables the warning for unpinned mutable refs for our shared-workflows, because we understand that risk and the trade-off with the flexibility and centralization it grants us.
For everything else, we selectively silence warnings if they are non-issues with in-line comments, as blanket disable lines are generally not a good idea.

Repos to check and fix

• rapidsai/ci-imgs fix(ci): resolve all zizmor findings and add zizmor pre-commit checks ci-imgs#404
• rapidsai/crossfit https://github.com/rapidsai/github-infrastructure/issues/118
• rapidsai/cucausal https://github.com/rapidsai/cucausal/pull/150
• rapidsai/cucim fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cucim#1078
• rapidsai/cudf fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cudf#22343
• rapidsai/cugraph fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cugraph#5509
• rapidsai/cugraph-docs fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cugraph-docs#196
• rapidsai/cugraph-gnn fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cugraph-gnn#455
• rapidsai/cuml fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cuml#8046
• NVIDIA/cuopt fix(ci): resolve all zizmor findings and add zizmor pre-commit checks NVIDIA/cuopt#1181
• rapidsai/cuvs fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cuvs#2053
• rapidsai/cuvs-lucene fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cuvs-lucene#146
• rapidsai/cuxfilter fix(ci): resolve all zizmor findings and add zizmor pre-commit checks cuxfilter#780
• rapidsai/dask-cuda fix(ci): resolve all zizmor findings and add zizmor pre-commit checks dask-cuda#1646
• rapidsai/dask-upstream-testing fix(ci): resolve all zizmor findings and add zizmor pre-commit checks dask-upstream-testing#99
• rapidsai/deployment fix(ci): resolve all zizmor findings and add zizmor pre-commit checks deployment#680
• rapidsai/detect-weak-linking fix(ci): resolve all zizmor findings and add zizmor pre-commit checks detect-weak-linking#7
• rapidsai/devcontainers fix: resolve template-injection issues and harden workflows devcontainers#691
• rapidsai/docs fix(ci): resolve all zizmor findings and add zizmor pre-commit checks docs#776
• rapidsai/docker fix: add zizmor and remediate all findings docker#871
• rapidsai/gha-token-service https://github.com/rapidsai/gha-token-service/pull/8
• rapidsai/gha-tools fix(ci): resolve all zizmor findings and add zizmor pre-commit checks gha-tools#257
• rapidsai/gputreeshap fix(ci): resolve all zizmor findings and add zizmor pre-commit checks gputreeshap#68
• rapidsai/gqe-bench no github actions
• rapidsai/integration fix(ci): resolve all zizmor findings and add zizmor pre-commit checks integration#844
• rapidsai/jupyterlab-nvdashboard fix(ci): resolve all zizmor findings and add zizmor pre-commit checks jupyterlab-nvdashboard#256
• rapidsai/kvikio fix(ci): resolve all zizmor findings and add zizmor pre-commit checks kvikio#957
• rapidsai/legate-boost fix: resolve template-injection issues and harden workflows legate-boost#262
• rapidsai/legate-dataframe fix(ci): resolve all zizmor findings and add zizmor pre-commit checks legate-dataframe#169
• rapidsai/legate-raft archived
• rapidsai/mdspan https://github.com/rapidsai/github-infrastructure/issues/117
• rapidsai/node fix(ci): resolve all zizmor findings and add zizmor pre-commit checks node#475
• rapidsai/nvforest fix(ci): resolve all zizmor findings and add zizmor pre-commit checks nvforest#106
• rapidsai/nx-cugraph fix(ci): resolve all zizmor findings and add zizmor pre-commit checks nx-cugraph#259
• rapidsai/pre-commit-hooks fix(ci): resolve all zizmor findings and add zizmor pre-commit checks pre-commit-hooks#123
• rapidsai/quent fix(ci): resolve all zizmor findings and add zizmor pre-commit checks quent#177
• rapidsai/raft fix(ci): resolve all zizmor findings and add zizmor pre-commit checks raft#3009
• rapidsai/rapids.ai no github actions usage
• rapidsai/rapids-build-backend fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rapids-build-backend#80
• rapidsai/rapids-cli fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rapids-cli#150
• rapidsai/rapids-cmake fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rapids-cmake#1016
• rapidsai/rapids-dask-dependency fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rapids-dask-dependency#153
• rapidsai/rapids-dependency-file-generator fix(ci): resolve all zizmor findings and add zizmor pre-commit checks dependency-file-generator#180
• rapidsai/rapids-logger fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rapids-logger#74
• rapidsai/rapids-metadata
  • fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rapids-metadata#75
  • add cuvs-lucene, enforce zizmor checks rapids-metadata#77
• rapidsai/rapidsmpf fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rapidsmpf#1007
• rapidsai/rmm fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rmm#2373
• rapidsai/rvc fix(ci): resolve all zizmor findings and add zizmor pre-commit checks rvc#16
• rapidsai/sccache
• rapidsai/shared-actions fix: resolve template injection points shared-actions#103
• rapidsai/shared-workflows feat: add zizmor static action checks shared-workflows#390
• rapidsai/spdx-license-builder fix(ci): resolve all zizmor findings and add zizmor pre-commit checks spdx-license-builder#6
• rapidsai/ucx-wheels fix(ci): resolve all zizmor findings and add zizmor pre-commit checks ucx-wheels#35
• rapidsai/ucxx fix(ci): resolve all zizmor findings and add zizmor pre-commit checks ucxx#645
• rapidsai/velox fix(ci): resolve all zizmor findings and add zizmor pre-commit checks velox#111
• rapidsai/velox-testing feat: add zizmor and remediate findings velox-testing#326
• rapidsai/workflows fix(ci): resolve all zizmor findings and add zizmor pre-commit checks workflows#113

Edit by @jakirkham : Updated the list in the OP with the ones in Gil's comment and a few more found via this search

[jameslamb]

Thanks @gforsyth , I agree we should enforce the zizmor checks everywhere.

But think we should expand the list of repos to "everything public in the rapidsai org that uses GitHub Actions". That'd include rapids-build-backend, rapids-cli, rapids-dependency-file-generator, etc.

Let's also please include https://github.com/nvidia/cuopt nevermind, it's already in the list, sorry for missing it.

Everything here: https://github.com/search?q=org%3Arapidsai+path%3A.github%2Fworkflows%2F+AND+NOT+is%3Aarchived&type=code

Note that list also hits some old and unmaintained repos... this effort seems like another good motivation to finally archive the things we aren't using (ref: https://github.com/rapidsai/ops/issues/3320). I'm happy to help with that if you agree.

[gforsyth]

But think we should expand the list of repos to "everything public in the rapidsai org that uses GitHub Actions". That'd include rapids-build-backend, rapids-cli, rapids-dependency-file-generator, etc.

Yep, strong agree.

And yes, let's go ahead and archive everything that isn't maintained.