Commit b183611
authored
chore(ci): address CI lint findings (#545)
This addresses all of zizmor's non-pedantic findings, and adds a
workflow to proactively flag any more that come in.
Key changes:
* I've hash-pinned all actions references. Dependabot will continue to
keep these updated and will update the hash comments as well.
* I've marked every `actions/checkout` with `persist-credentials: false`
except for one that actually needs persisted credentials (which I've
explicitly enabled with an explanatory comment)
* I've dropped some workflow-level permissions in favor of job-level
permissions that were already provisioned.
* I fixed two small template injections caused by expanding output
contexts. I think these were not exploitable in practice, but fixing
them is good for defense in depth (and makes spellcheck work nicely on
these steps).
---------
Signed-off-by: William Woodruff <william@astral.sh>1 parent 557e51d commit b183611
File tree
5 files changed
+139
-45
lines changed- .github/workflows
5 files changed
+139
-45
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| 24 | + | |
| 25 | + | |
24 | 26 | | |
25 | 27 | | |
26 | 28 | | |
| |||
39 | 41 | | |
40 | 42 | | |
41 | 43 | | |
42 | | - | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
43 | 47 | | |
44 | 48 | | |
45 | 49 | | |
46 | | - | |
| 50 | + | |
47 | 51 | | |
48 | 52 | | |
49 | 53 | | |
| |||
55 | 59 | | |
56 | 60 | | |
57 | 61 | | |
58 | | - | |
| 62 | + | |
59 | 63 | | |
60 | 64 | | |
61 | 65 | | |
| |||
69 | 73 | | |
70 | 74 | | |
71 | 75 | | |
72 | | - | |
| 76 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8 | 8 | | |
9 | 9 | | |
10 | 10 | | |
| 11 | + | |
| 12 | + | |
11 | 13 | | |
12 | 14 | | |
13 | 15 | | |
| |||
17 | 19 | | |
18 | 20 | | |
19 | 21 | | |
20 | | - | |
| 22 | + | |
21 | 23 | | |
22 | 24 | | |
0 commit comments