Lint our GitHub Actions workflows with zizmor

We just need to set `persist-credentials: false` in all of our workflows. Refs <freedomofpress/securedrop-tooling#18>.
freedomofpress · Jan 3, 2025 · 5476830 · 5476830
1 parent b9efb8d
commit 5476830
Show file tree

Hide file tree

Showing 5 changed files with 29 additions and 1 deletion.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -14,6 +14,7 @@ jobs:
             python3-poetry
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           lfs: true
       - name:  Install additional packages and Python dependencies
         run: |
@@ -34,6 +35,7 @@ jobs:
           apt-get update && apt-get install --yes --no-install-recommends make git git-lfs gnupg ca-certificates
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           lfs: true
       - name: Verify checksums and signatures
         run: |

diff --git a/.github/workflows/reprotest.yml b/.github/workflows/reprotest.yml
@@ -19,6 +19,7 @@ jobs:
             python3-poetry
       - uses: actions/checkout@v4
         with:
+          persist-credentials: false
           lfs: true
       - name:  Install additional packages and Python dependencies
         run: |

diff --git a/Makefile b/Makefile
@@ -5,6 +5,7 @@ SHELL := /bin/bash
 lint:
 	@poetry run ruff check .
 	@poetry run ruff format --check .
+	@poetry run zizmor .
 
 .PHONY: fix
 fix:

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -17,6 +17,7 @@ pytest = "*"
 pytest-mock = "*"
 ruff = "*"
 virtualenv = "<16"
+zizmor = "^1.0.0"
 
 [tool.ruff]
 line-length = 100