Fix more zizmor warnings

2026-05-11 23:41:03 -05:00 · 2026-04-10 17:33:59 +02:00
parent 9b4dc0231c
commit 894d303608
5 changed files with 22 additions and 2 deletions
@@ -53,6 +53,8 @@ jobs:

    steps:
    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false

    ###############
    ## Build web ##
@@ -93,6 +95,7 @@ jobs:
      uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
      with:
        go-version-file: go.mod
+        cache: false

    - name: Build all targets
      run: make build
@@ -193,6 +196,7 @@ jobs:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
        with:
          fetch-depth: 0
+          persist-credentials: false

      - name: Restore unit coverage report
        uses: actions/cache/restore@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
@@ -15,16 +15,21 @@ concurrency:
  group: ${{ github.workflow }}
  cancel-in-progress: false

+permissions:
+  contents: read
+
 jobs:
  build:
    if: "!contains(github.event.head_commit.message, '[ci skip]')"
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+      with:
+        persist-credentials: false
    - name: Run tdg github action
      uses: ribtoks/tdg-github-action@7cc4b6643e790dde39ac8bf2cfc8c08c660afbb2 # v0.4.17-beta
      with:
-        TOKEN: ${{ secrets.TDG_TOKEN }}
+        TOKEN: ${{ secrets.TDG_TOKEN }} # zizmor: ignore[secrets-outside-env]
        REPO: ${{ github.repository }}
        ISSUE_REPO: "PrivateCaptcha/issues"
        SHA: ${{ github.sha }}
@@ -19,7 +19,11 @@ jobs:
      contents: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          package-manager-cache: false

      - name: Lint Open API specs
        run: |
@@ -21,12 +21,15 @@ jobs:
      packages: read
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false

      # Setup .npmrc file to publish to GitHub Packages
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'
+          package-manager-cache: false

      - name: Check if version should be published
        id: check
@@ -42,7 +45,7 @@ jobs:
            echo "should_publish=true" >> $GITHUB_OUTPUT
          fi
        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # zizmor: ignore[secrets-outside-env]
    outputs:
      should_publish: ${{ steps.check.outputs.should_publish }}

@@ -57,11 +60,14 @@ jobs:
      id-token: write  # Required for OIDC
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: '24'
          registry-url: 'https://registry.npmjs.org'
+          package-manager-cache: false

      - name: Install widget NPM dependencies
        run: npm ci
@@ -3,3 +3,4 @@ rules:
    ignore:
      - ci.yaml
      - docker.yaml
+      - cla.yml