ci: audit workflows with zizmor

2026-04-18 14:06:29 +03:00 · 2025-02-14 23:18:34 +00:00
parent 5c3d1e7dae
commit 96704eb73d
13 changed files with 93 additions and 2 deletions
--- a/.github/workflows/deltachat-rpc-server.yml
+++ b/.github/workflows/deltachat-rpc-server.yml
@@ -17,6 +17,8 @@ on:
  release:
    types: [published]

+permissions: {}
+
 jobs:
  # Build a version statically linked against musl libc
  # to avoid problems with glibc version incompatibility.
@@ -31,6 +33,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          show-progress: false
+          persist-credentials: false
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: DeterminateSystems/magic-nix-cache-action@main

@@ -55,6 +58,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          show-progress: false
+          persist-credentials: false
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: DeterminateSystems/magic-nix-cache-action@main

@@ -80,6 +84,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          show-progress: false
+          persist-credentials: false

      - name: Setup rust target
        run: rustup target add ${{ matrix.arch }}-apple-darwin
@@ -105,6 +110,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          show-progress: false
+          persist-credentials: false
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: DeterminateSystems/magic-nix-cache-action@main

@@ -132,6 +138,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          show-progress: false
+          persist-credentials: false
      - uses: DeterminateSystems/nix-installer-action@main
      - uses: DeterminateSystems/magic-nix-cache-action@main

@@ -258,8 +265,9 @@ jobs:
        if: github.event_name == 'release'
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          REF_NAME: ${{ github.ref_name }}
        run: |
-          gh release upload ${{ github.ref_name }} \
+          gh release upload "$REF_NAME" \
            --repo ${{ github.repository }} \
            bin/* dist/*

@@ -280,6 +288,7 @@ jobs:
      - uses: actions/checkout@v4
        with:
          show-progress: false
+          persist-credentials: false
      - uses: actions/setup-python@v5
        with:
          python-version: "3.11"
@@ -385,8 +394,9 @@ jobs:
        if: github.event_name == 'release'
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          REF_NAME: ${{ github.ref_name }}
        run: |
-          gh release upload ${{ github.ref_name }} \
+          gh release upload "$REF_NAME" \
            --repo ${{ github.repository }} \
            deltachat-rpc-server/npm-package/*.tgz