Fix Zizmor

Orange-OpenSource · Jan 21, 2025 · 2472aa9 · 2472aa9
1 parent fee90a8
commit 2472aa9
Show file tree

Hide file tree

Showing 12 changed files with 154 additions and 91 deletions.
diff --git a/.github/workflows/accept-pull-request.yml b/.github/workflows/accept-pull-request.yml
@@ -69,6 +69,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4.2.2
         with:
+          persist-credentials: true
           ref: ${{ env.BASE_REF }}
           token: ${{ secrets.HURL_BOT_TOKEN }}
           fetch-depth: 0

diff --git a/.github/workflows/auto-close-inactive-pr.yml b/.github/workflows/auto-close-inactive-pr.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: false
       - name: Auto close inactive PR
         run: .github/workflows/bin/auto-close-inactive-pr.sh --github-project-path "${REPO}" --github-token "${GITHUB_TOKEN}" --max-days-of-inactivity 15
 
diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml
@@ -13,6 +13,8 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions: {}
+
 jobs:
 
   checks:
@@ -22,6 +24,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
 
     - name: Shellcheck
@@ -62,7 +65,7 @@ jobs:
 
     - name: Zizmor
       env:
-        GITHUB_TOKEN: ${{ secrets.HURL_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       if: always()
       run: |
         pip install zizmor

diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
+      with:
+        persist-credentials: false
 
     - name: Install Prerequisites
       run: bin/install_prerequisites_ubuntu.sh

diff --git a/.github/workflows/extra-package.yml b/.github/workflows/extra-package.yml
@@ -1,78 +1,81 @@
-name: extra-package
-
-on:
-  workflow_dispatch:
-    inputs:
-      set-release-version:
-        description: 'Desired release version (x.y.z)'
-        required: true
-        type: string
-      push-to-chocolatey:
-        description: 'Push to chocolatey'
-        type: boolean
-        default: false
-      push-to-winget:
-        description: 'Push to winget'
-        type: boolean
-        default: false
-
-concurrency: extra-package
-
-jobs:
-  check-release:
-    env:
-      GH_TOKEN: ${{ github.token }}
-      RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
-    name: Check-release
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-          ref: ${{ github.event.inputs.set-release-version }}
-      - name: Check if branch is a published release
-        run: |
-          if gh release list --exclude-drafts --exclude-pre-releases | grep -E "^${RELEASE_VERSION}" ; then
-              echo "✅ Desired release ${RELEASE_VERSION} is a published release"
-          else
-              echo "❌ You have to run this workflow for a published release (excluding draft and pre-release), but the desired one [${RELEASE_VERSION}] is not."
-              exit 1
-          fi
-
-  push-to-chocolatey:
-    if: github.event.inputs.push-to-chocolatey == 'true'
-    needs: check-release
-    env:
-      RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
-      CHOCOLATEY_TOKEN: ${{ secrets.LEPAPAREIL_CHOCOLATEY_TOKEN }}
-    name: Push to chocolatey
-    runs-on: windows-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-          ref: ${{ github.event.inputs.set-release-version }}
-      - name: Push to chocolatey
-        run: .\bin\release\push_package_to_chocolatey.ps1 $env:RELEASE_VERSION $env:CHOCOLATEY_TOKEN
-
-  push-to-winget:
-    if: github.event.inputs.push-to-winget == 'true'
-    needs: check-release
-    env:
-      RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
-      WINGET_TOKEN: ${{ secrets.LEPAPAREIL_WINGET_TOKEN }}
-    name: Push to winget
-    runs-on: windows-latest
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4.2.2
-        with:
-          fetch-depth: 1
-          ref: ${{ github.event.inputs.set-release-version }}
-      - name: Push to winget
-        run: |
-          Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile .\wingetcreate.exe
-          .\wingetcreate.exe version
-          .\bin\release\push_package_to_winget.ps1 "$env:RELEASE_VERSION" "$env:LEPAPAREIL_WINGET_TOKEN"
+name: extra-package
+
+on:
+  workflow_dispatch:
+    inputs:
+      set-release-version:
+        description: 'Desired release version (x.y.z)'
+        required: true
+        type: string
+      push-to-chocolatey:
+        description: 'Push to chocolatey'
+        type: boolean
+        default: false
+      push-to-winget:
+        description: 'Push to winget'
+        type: boolean
+        default: false
+
+concurrency: extra-package
+
+jobs:
+  check-release:
+    env:
+      GH_TOKEN: ${{ github.token }}
+      RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
+    name: Check-release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: true
+          fetch-depth: 1
+          ref: ${{ github.event.inputs.set-release-version }}
+      - name: Check if branch is a published release
+        run: |
+          if gh release list --exclude-drafts --exclude-pre-releases | grep -E "^${RELEASE_VERSION}" ; then
+              echo "✅ Desired release ${RELEASE_VERSION} is a published release"
+          else
+              echo "❌ You have to run this workflow for a published release (excluding draft and pre-release), but the desired one [${RELEASE_VERSION}] is not."
+              exit 1
+          fi
+
+  push-to-chocolatey:
+    if: github.event.inputs.push-to-chocolatey == 'true'
+    needs: check-release
+    env:
+      RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
+      CHOCOLATEY_TOKEN: ${{ secrets.LEPAPAREIL_CHOCOLATEY_TOKEN }}
+    name: Push to chocolatey
+    runs-on: windows-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: false
+          fetch-depth: 1
+          ref: ${{ github.event.inputs.set-release-version }}
+      - name: Push to chocolatey
+        run: .\bin\release\push_package_to_chocolatey.ps1 $env:RELEASE_VERSION $env:CHOCOLATEY_TOKEN
+
+  push-to-winget:
+    if: github.event.inputs.push-to-winget == 'true'
+    needs: check-release
+    env:
+      RELEASE_VERSION: ${{ github.event.inputs.set-release-version }}
+      WINGET_TOKEN: ${{ secrets.LEPAPAREIL_WINGET_TOKEN }}
+    name: Push to winget
+    runs-on: windows-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: true 
+          fetch-depth: 1
+          ref: ${{ github.event.inputs.set-release-version }}
+      - name: Push to winget
+        run: |
+          Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile .\wingetcreate.exe
+          .\wingetcreate.exe version
+          .\bin\release\push_package_to_winget.ps1 "$env:RELEASE_VERSION" "$env:LEPAPAREIL_WINGET_TOKEN"
diff --git a/.github/workflows/package.yml b/.github/workflows/package.yml
@@ -14,13 +14,16 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions: {}
+
 jobs:
   package-generic-linux-x64:
     runs-on: ubuntu-20.04
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Install prerequisites
       run: bin/install_prerequisites_ubuntu.sh
@@ -64,6 +67,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Set up QEMU
       uses: docker/setup-qemu-action@v3.3.0
@@ -113,6 +117,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Retrieve release-generic-linux-x64-artifacts
       uses: actions/download-artifact@v4.1.8
@@ -166,6 +171,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Retrieve release-generic-linux-x64-artifacts
       uses: actions/download-artifact@v4.1.8
@@ -217,6 +223,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Retrieve release-generic-linux-x64-artifacts
       uses: actions/download-artifact@v4.1.8
@@ -268,6 +275,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Retrieve release-generic-linux-x64-artifacts
       uses: actions/download-artifact@v4.1.8
@@ -321,6 +329,7 @@ jobs:
    - name: Checkout repository
      uses: actions/checkout@v4.2.2
      with:
+       persist-credentials: false
        ref: ${{ inputs.branch }}
    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v3.8.0
@@ -392,6 +401,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Install Prerequisites
       run: bin/install_prerequisites_ubuntu.sh
@@ -443,6 +453,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Install Prerequisites
       run: |
@@ -492,6 +503,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Install Prerequisites
       run: |
@@ -547,6 +559,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v4.2.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.branch }}
     - name: Install Rust
       run: |
@@ -606,6 +619,7 @@ jobs:
       - name: Checkout repository
         uses: actions/checkout@v4.2.2
         with:
+          persist-credentials: false
           ref: ${{ inputs.branch }}
       - uses: actions/download-artifact@v4.1.8
         with:

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -56,6 +56,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: true
 
       - name: Check release pull request existence
         id: check-release-pull-request-existence
@@ -172,6 +174,8 @@ jobs:
       - name: Checkout repository
         if: github.ref_name == 'master'
         uses: actions/checkout@v4.2.2
+        with:
+          persist-credentials: true
 
       - name: Create release branch
         if: github.ref_name == 'master'
@@ -189,6 +193,7 @@ jobs:
       - name: Checkout new release branch
         uses: actions/checkout@v4.2.2
         with:
+          persist-credentials: true
           ref: ${{ needs.set-context.outputs.release_branch }}
 
       - name: Check CHANGELOG
@@ -298,6 +303,7 @@ jobs:
       - name: Checkout new release branch
         uses: actions/checkout@v4.2.2
         with:
+          persist-credentials: true
           ref: ${{ needs.set-context.outputs.release_branch }}
 
       - name: Init git bot context