🔒 Resolve all failed zizmor checks

.github/workflows/codacy.yml

@@ -37,6 +37,8 @@ jobs:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       # Execute Codacy Analysis CLI and generate a SARIF output with the security issues identified during the analysis
       - name: Run Codacy Analysis CLI

.github/workflows/continuous-deploy.yml

@@ -131,6 +131,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -176,6 +178,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Mise
         uses: jdx/mise-action@v2
         with:
@@ -220,6 +223,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Mise
         uses: jdx/mise-action@v2
         with:
@@ -245,11 +249,14 @@ jobs:
       - name: Set branch name
         id: set_branch_name
         run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV
           else
             echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV
           fi
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          HEAD_REF: ${{ github.head_ref }}
       - name: Check if branch exists
         id: check_branch
         run: |
@@ -269,6 +276,7 @@ jobs:
           token: ${{ secrets.CHARTS_PAT }}
           path: tilt/.charts
           ref: ${{ env.branch_name }}
+          persist-credentials: false
       - name: Start Test Harness
         run: mise run tilt:ci
         shell: bash
@@ -425,6 +433,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install dependencies
         run: pip install coverage
       - name: Download all .coverage artifacts
@@ -471,6 +480,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Mise
         uses: jdx/mise-action@v2
@@ -493,10 +504,12 @@ jobs:
         id: set_branch_name
         run: |
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV
+            echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV
           else
             echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV
           fi
+        env:
+          HEAD_REF: ${{ github.head_ref }}
 
       - name: Check if branch exists
         id: check_branch
@@ -518,6 +531,7 @@ jobs:
           token: ${{ secrets.CHARTS_PAT }}
           path: charts
           ref: ${{ env.branch_name }}
+          persist-credentials: false
 
       - name: Install dependencies
         run: sudo apt-get install -y postgresql-client
@@ -685,6 +699,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Mise
         uses: jdx/mise-action@v2
@@ -695,16 +711,20 @@ jobs:
           install: true
 
       - name: Authenticate GitHub CLI
-        run: echo "${{ secrets.CHARTS_PAT }}" | gh auth login --with-token
+        run: echo "${PAT}" | gh auth login --with-token
+        env:
+          PAT: ${{ secrets.CHARTS_PAT }}
 
       - name: Set branch name
         id: set_branch_name
         run: |
           if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "BRANCH_NAME=${{ github.head_ref }}" >> $GITHUB_ENV
+            echo "BRANCH_NAME=${HEAD_REF}" >> $GITHUB_ENV
           else
             echo "BRANCH_NAME=$(echo ${GITHUB_REF#refs/heads/} | cut -d/ -f2-)" >> $GITHUB_ENV
           fi
+        env:
+          HEAD_REF: ${{ github.head_ref }}
 
       - name: Check if branch exists
         id: check_branch
@@ -726,6 +746,7 @@ jobs:
           token: ${{ secrets.CHARTS_PAT }}
           path: charts
           ref: ${{ env.branch_name }}
+          persist-credentials: false
 
       - name: Configure AWS credentials
         uses: aws-actions/configure-aws-credentials@v4
@@ -818,7 +839,7 @@ jobs:
             COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}')
             FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}')
 
-            if [ "$COMPLETION_STATUS" == "${{ env.PYTEST_COMPLETIONS }}" ] || [ "$FAILURE_STATUS" == "1" ]; then
+            if [ "$COMPLETION_STATUS" == "${PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then
                 echo "Job $JOB_NAME has completed."
                 break
             else
@@ -840,6 +861,7 @@ jobs:
         env:
           JOB_NAME: cloudapi-pytest
           NAMESPACE: dev-cloudapi
+          PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }}
 
       - name: Wait for pytest regression and print logs
         if: steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success'
@@ -849,7 +871,7 @@ jobs:
             COMPLETION_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.succeeded}')
             FAILURE_STATUS=$(kubectl get job $JOB_NAME -n $NAMESPACE -o jsonpath='{.status.failed}')
 
-            if [ "$COMPLETION_STATUS" == "${{ env.PYTEST_COMPLETIONS }}" ] || [ "$FAILURE_STATUS" == "1" ]; then
+            if [ "$COMPLETION_STATUS" == "${PYTEST_COMPLETIONS}" ] || [ "$FAILURE_STATUS" == "1" ]; then
                 echo "Job $JOB_NAME has completed."
                 break
             else
@@ -871,6 +893,7 @@ jobs:
         env:
           JOB_NAME: cloudapi-pytest-regression
           NAMESPACE: dev-cloudapi
+          PYTEST_COMPLETIONS: ${{ env.PYTEST_COMPLETIONS }}
 
       - name: Copy k8s pytest results
         if: steps.pytest.outcome == 'success' || steps.pytest-init-regression.outcome == 'success' || steps.pytest-run-regression.outcome == 'success'
@@ -1028,6 +1051,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
@@ -1082,6 +1107,8 @@ jobs:
             -e GOVERNANCE_OAUTH_ENDPOINT=${{ secrets.GOVERNANCE_OAUTH_ENDPOINT }} \
             --workdir /scripts \
             --entrypoint /bin/sh \
-            ghcr.io/${{ github.repository_owner }}/xk6:${{ steps.meta.outputs.version }} \
+            ghcr.io/${{ github.repository_owner }}/xk6:${VERSION} \
             /scripts/run_tests.sh
         shell: bash
+        env:
+          VERSION: ${{ steps.meta.outputs.version }}

.github/workflows/sonarcloud.yml

@@ -48,6 +48,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0 # Required for proper blame data in SonarCloud
+          persist-credentials: false
 
       - name: Overwrite .mise.toml # Simplify mise in this workflow
         run: |

.github/workflows/style-check.yml

@@ -11,6 +11,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Overwrite .mise.toml # It's not needed in this workflow
         run: |

.github/workflows/validate-pr.yml

@@ -6,7 +6,6 @@ on:
 
 permissions:
   contents: read
-  pull-requests: write
 
 env:
   # https://cbea.ms/git-commit/#limit-50
@@ -17,6 +16,8 @@ env:
 jobs:
   check-title:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - name: Get PR info
         id: pr
@@ -27,7 +28,7 @@ jobs:
             const title = context.payload.pull_request.title;
             core.setOutput('title', title);
 
-            // Get PR Comments, filtering for only this bot's comments
+            // Get PR Comments
             const allComments = await github.rest.issues.listComments({
               owner: context.repo.owner,
               repo: context.repo.repo,
@@ -42,25 +43,29 @@ jobs:
               comment.body.includes(process.env.BOT_COMMENT_IDENTIFIER)
             );
 
-            core.setOutput('comments', botComments);
+            core.setOutput('comments_json', JSON.stringify(botComments));
 
-            // Get JSON of valid Gitmojis
+            // Get Gitmojis
             const gitmojiResponse = await github.request('GET /repos/{owner}/{repo}/contents/{path}', {
               owner: 'carloscuesta',
               repo: 'gitmoji',
               path: 'packages/gitmojis/src/gitmojis.json'
             });
             const gitmojis = JSON.parse(Buffer.from(gitmojiResponse.data.content, 'base64').toString()).gitmojis;
-            core.setOutput('gitmojis', gitmojis);
+            core.setOutput('gitmojis_json', JSON.stringify(gitmojis));
 
       - name: PR title should start with emoji
+        env:
+          PR_TITLE: ${{ steps.pr.outputs.title }}
+          PR_COMMENTS: ${{ steps.pr.outputs.comments_json }}
+          GITMOJIS: ${{ steps.pr.outputs.gitmojis_json }}
         uses: actions/github-script@v7
         if: always()
         with:
           script: |
-            const prTitle = "${{ steps.pr.outputs.title }}";
-            const comments = ${{ steps.pr.outputs.comments }};
-            const gitmojis = ${{ steps.pr.outputs.gitmojis }};
+            const prTitle = process.env.PR_TITLE;
+            const comments = JSON.parse(process.env.PR_COMMENTS);
+            const gitmojis = JSON.parse(process.env.GITMOJIS);
             const validEmojis = gitmojis.map(g => [g.emoji, g.code]);
 
             const titleStartsWithValidEmoji = validEmojis.some(([emoji, code]) =>
@@ -96,18 +101,19 @@ jobs:
               });
             }
 
-      - name: PR title should not exceed ${{ env.MAX_PR_TITLE_LENGTH }} characters
+      - name: Check PR title length
+        env:
+          PR_TITLE: ${{ steps.pr.outputs.title }}
+          PR_COMMENTS: ${{ steps.pr.outputs.comments_json }}
+          MAX_LENGTH: ${{ env.MAX_PR_TITLE_LENGTH }}
         uses: actions/github-script@v7
         if: always()
         with:
           script: |
-            const prTitle = "${{ steps.pr.outputs.title }}";
-            const comments = ${{ steps.pr.outputs.comments }};
-            const MAX_LENGTH = ${{ env.MAX_PR_TITLE_LENGTH }};
+            const prTitle = process.env.PR_TITLE;
+            const comments = JSON.parse(process.env.PR_COMMENTS);
+            const MAX_LENGTH = parseInt(process.env.MAX_LENGTH, 10);
 
-            // Match either:
-            // 1. Unicode emoji at start (using Unicode properties)
-            // 2. GitHub emoji shortcode format (e.g. :fire:)
             const emojiRegex = /^(?:[\p{Emoji_Presentation}\p{Extended_Pictographic}]|:[a-z0-9_+-]+:)/u;
 
             // Remove emoji prefix and its trailing space for length check