apply zizmor recommendations (#15490)

blakeblackshear · Dec 13, 2024 · 869fa26 · 869fa26
1 parent f336a91
commit 869fa26
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 30 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -7,7 +7,7 @@ on:
       - dev
       - master
     paths-ignore:
-      - 'docs/**'      
+      - "docs/**"
 
 # only run the latest commit to avoid cache overwrites
 concurrency:
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU and Buildx
         id: setup
         uses: ./.github/actions/setup
@@ -45,6 +47,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU and Buildx
         id: setup
         uses: ./.github/actions/setup
@@ -86,6 +90,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU and Buildx
         id: setup
         uses: ./.github/actions/setup
@@ -112,6 +118,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU and Buildx
         id: setup
         uses: ./.github/actions/setup
@@ -140,6 +148,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU and Buildx
         id: setup
         uses: ./.github/actions/setup
@@ -165,6 +175,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU and Buildx
         id: setup
         uses: ./.github/actions/setup
@@ -188,6 +200,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up QEMU and Buildx
         id: setup
         uses: ./.github/actions/setup

diff --git a/.github/workflows/dependabot-auto-merge.yaml b/.github/workflows/dependabot-auto-merge.yaml
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
@@ -3,7 +3,7 @@ name: On pull request
 on:
   pull_request:
     paths-ignore:
-      - 'docs/**'
+      - "docs/**"
 
 env:
   DEFAULT_PYTHON: 3.9
@@ -19,6 +19,8 @@ jobs:
       DOCKER_BUILDKIT: "1"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@master
         with:
           node-version: 16.x
@@ -38,6 +40,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@master
         with:
           node-version: 16.x
@@ -52,6 +56,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@master
         with:
           node-version: 20.x
@@ -67,6 +73,8 @@ jobs:
     steps:
       - name: Check out the repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ env.DEFAULT_PYTHON }}
         uses: actions/[email protected]
         with:
@@ -88,6 +96,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@master
         with:
           node-version: 16.x

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -11,6 +11,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - id: lowercaseRepo
         uses: ASzc/change-string-case-action@v6
         with:
@@ -22,10 +24,13 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Create tag variables
+        env:
+          TAG: ${{ github.ref_name }}
+          LOWERCASE_REPO: ${{ steps.lowercaseRepo.outputs.lowercase }}
         run: |
-          BUILD_TYPE=$([[ "${{ github.ref_name }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] && echo "stable" || echo "beta")
+          BUILD_TYPE=$([[ "${TAG}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]] && echo "stable" || echo "beta")
           echo "BUILD_TYPE=${BUILD_TYPE}" >> $GITHUB_ENV
-          echo "BASE=ghcr.io/${{ steps.lowercaseRepo.outputs.lowercase }}" >> $GITHUB_ENV
+          echo "BASE=ghcr.io/${LOWERCASE_REPO}" >> $GITHUB_ENV
           echo "BUILD_TAG=${GITHUB_SHA::7}" >> $GITHUB_ENV
           echo "CLEAN_VERSION=$(echo ${GITHUB_REF##*/} | tr '[:upper:]' '[:lower:]' | sed 's/^[v]//')" >> $GITHUB_ENV
       - name: Tag and push the main image

diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -23,7 +23,9 @@ jobs:
           exempt-pr-labels: "pinned,security,dependencies"
           operations-per-run: 120
       - name: Print outputs
-        run: echo ${{ join(steps.stale.outputs.*, ',') }}
+        env:
+          STALE_OUTPUT: ${{ join(steps.stale.outputs.*, ',') }}
+        run: echo "$STALE_OUTPUT"
 
   # clean_ghcr:
   #   name: Delete outdated dev container images
@@ -38,4 +40,3 @@ jobs:
   #         account-type: personal
   #         token: ${{ secrets.GITHUB_TOKEN }}
   #         token-type: github-token
-