fix zizmor issues (#521)

Signed-off-by: Bob Callaway <bcallaway@google.com>
sigstore · Dec 11, 2024 · 639b061 · 639b061
1 parent 2a0f9d2
commit 639b061
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 1 deletion.
diff --git a/.github/workflows/github-sync-main-sigstore-conformance.yml b/.github/workflows/github-sync-main-sigstore-conformance.yml
@@ -26,6 +26,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - uses: sigstore/github-sync@main
       if: ${{ inputs.preview }}
       with:

diff --git a/.github/workflows/github-sync-main-sigstore.yml b/.github/workflows/github-sync-main-sigstore.yml
@@ -26,6 +26,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - uses: sigstore/github-sync@main
       if: ${{ inputs.preview }}
       with:

diff --git a/.github/workflows/github-sync-pr-sigstore-conformance.yml b/.github/workflows/github-sync-pr-sigstore-conformance.yml
@@ -24,6 +24,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.event.pull_request.head.sha }}
+        persist-credentials: false
 
     - uses: sigstore/github-sync@main
       with:

diff --git a/.github/workflows/github-sync-pr-sigstore.yml b/.github/workflows/github-sync-pr-sigstore.yml
@@ -24,6 +24,7 @@ jobs:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         ref: ${{ github.event.pull_request.head.sha }}
+        persist-credentials: false
 
     - uses: sigstore/github-sync@main
       with:

diff --git a/.github/workflows/reusable-dependency-review.yml b/.github/workflows/reusable-dependency-review.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0
         with:

diff --git a/.github/workflows/reusable-release.yml b/.github/workflows/reusable-release.yml
@@ -40,6 +40,7 @@ jobs:
     env:
       PROJECT_ID: 'projectsigstore'
       RELEASE_TAG: ${{ inputs.release_tag }}
+      REPO: ${{ inputs.repo }}
     steps:
       - name: Check actor access
         if: ${{ !contains( fromJson('["bobcallaway","cpanato","lukehinds","priyawadhwa","haydentherapper"]'), github.actor ) }}
@@ -49,6 +50,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           path: ./src/github.com/sigstore/${{ inputs.repo }}
+          persist-credentials: false
 
       - name: Set release tag if not specified
         if: ${{ inputs.release_tag == '' }}
@@ -72,4 +74,4 @@ jobs:
 
       - name: Start cloudbuild job
         working-directory: ./src/github.com/sigstore/${{ inputs.repo }}
-        run: gcloud builds submit --no-source --async --config release/cloudbuild.yaml --substitutions _GIT_TAG=${{ env.RELEASE_TAG }},_TOOL_ORG=sigstore,_TOOL_REPO=${{ inputs.repo }},_STORAGE_LOCATION=${{ inputs.repo }}-releases,_KEY_RING=release-cosign,_KEY_NAME=cosign,_GITHUB_USER=sigstore-bot --project=${{ env.PROJECT_ID }}
+        run: gcloud builds submit --no-source --async --config release/cloudbuild.yaml --substitutions _GIT_TAG=${RELEASE_TAG},_TOOL_ORG=sigstore,_TOOL_REPO=${REPO},_STORAGE_LOCATION=${REPO}-releases,_KEY_RING=release-cosign,_KEY_NAME=cosign,_GITHUB_USER=sigstore-bot --project=${PROJECT_ID}