Skip to content

Commit 1067f62

Browse files
straight-shootastraight-shoota
authored
[CI] Fix issues in GHA workflows (#16282)
Fixes some issues found by https://docs.zizmor.sh
1 parent 7c0880e commit 1067f62

21 files changed

+103
-9
lines changed

.github/workflows/aarch64-github.yml

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,9 @@ jobs:
1616
runs-on: ubuntu-24.04
1717
steps:
1818
- name: Download Crystal source
19-
uses: actions/checkout@v5
19+
uses: actions/checkout@v5
20+
with:
21+
persist-credentials: false
2022

2123
- name: Install LLVM 20
2224
run: |
@@ -44,7 +46,9 @@ jobs:
4446
needs: [aarch64-github-cross-compile]
4547
steps:
4648
- name: Checkout Crystal source
47-
uses: actions/checkout@v5
49+
uses: actions/checkout@v5
50+
with:
51+
persist-credentials: false
4852

4953
- name: Install LLVM 20
5054
run: |

.github/workflows/aarch64.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,8 @@ jobs:
1515
steps:
1616
- name: Download Crystal source
1717
uses: actions/checkout@v5
18+
with:
19+
persist-credentials: false
1820
- name: Build Crystal
1921
uses: docker://crystallang/crystal:1.13.2-alpine-84codes-build
2022
with:
@@ -33,6 +35,8 @@ jobs:
3335
steps:
3436
- name: Download Crystal source
3537
uses: actions/checkout@v5
38+
with:
39+
persist-credentials: false
3640
- name: Download Crystal executable
3741
uses: actions/download-artifact@v5
3842
with:
@@ -50,6 +54,8 @@ jobs:
5054
steps:
5155
- name: Download Crystal source
5256
uses: actions/checkout@v5
57+
with:
58+
persist-credentials: false
5359
- name: Download Crystal executable
5460
uses: actions/download-artifact@v5
5561
with:
@@ -66,6 +72,8 @@ jobs:
6672
steps:
6773
- name: Download Crystal source
6874
uses: actions/checkout@v5
75+
with:
76+
persist-credentials: false
6977
- name: Build Crystal
7078
uses: docker://crystallang/crystal:1.13.2-ubuntu-84codes-build
7179
with:
@@ -84,6 +92,8 @@ jobs:
8492
steps:
8593
- name: Download Crystal source
8694
uses: actions/checkout@v5
95+
with:
96+
persist-credentials: false
8797
- name: Download Crystal executable
8898
uses: actions/download-artifact@v5
8999
with:
@@ -101,6 +111,8 @@ jobs:
101111
steps:
102112
- name: Download Crystal source
103113
uses: actions/checkout@v5
114+
with:
115+
persist-credentials: false
104116
- name: Download Crystal executable
105117
uses: actions/download-artifact@v5
106118
with:

.github/workflows/backport.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ name: Backport
88
on:
99
pull_request_target:
1010
types: [closed, labeled]
11+
branches: [master, release/*]
1112

1213
permissions:
1314
contents: write # so it can comment
@@ -23,6 +24,7 @@ jobs:
2324
with:
2425
ref: ${{ github.event.pull_request.head.sha }}
2526
token: ${{ secrets.BACKPORT_ACTION_GITHUB_PAT }}
27+
persist-credentials: false
2628

2729
- name: Create backport PR
2830
uses: korthout/backport-action@d07416681cab29bf2661702f925f020aaa962997 # v3.4.1

.github/workflows/docs.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -20,6 +20,8 @@ jobs:
2020
steps:
2121
- name: Download Crystal source
2222
uses: actions/checkout@v5
23+
with:
24+
persist-credentials: false
2325

2426
- name: Prepare System
2527
run: bin/ci prepare_system

.github/workflows/forward-compatibility.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,6 +53,8 @@ jobs:
5353
steps:
5454
- name: Download Crystal source
5555
uses: actions/checkout@v5
56+
with:
57+
persist-credentials: false
5658

5759
- name: Prepare System
5860
run: bin/ci prepare_system

.github/workflows/interpreter.yml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,8 @@ jobs:
1919
name: "Test Interpreter"
2020
steps:
2121
- uses: actions/checkout@v5
22+
with:
23+
persist-credentials: false
2224

2325
- name: Test interpreter_spec
2426
run: make interpreter_spec junit_output=.junit/interpreter_spec.xml
@@ -30,6 +32,8 @@ jobs:
3032
name: Build interpreter
3133
steps:
3234
- uses: actions/checkout@v5
35+
with:
36+
persist-credentials: false
3337

3438
- name: Build compiler
3539
run: make interpreter=1 release=1
@@ -53,6 +57,8 @@ jobs:
5357
name: "Test std_spec with interpreter (${{ matrix.part }})"
5458
steps:
5559
- uses: actions/checkout@v5
60+
with:
61+
persist-credentials: false
5662

5763
- name: Download compiler artifact
5864
uses: actions/download-artifact@v5
@@ -74,6 +80,8 @@ jobs:
7480
name: "Test primitives_spec with interpreter"
7581
steps:
7682
- uses: actions/checkout@v5
83+
with:
84+
persist-credentials: false
7785

7886
- name: Download compiler artifact
7987
uses: actions/download-artifact@v5

.github/workflows/lint-actionlint.yml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,10 +7,14 @@ on:
77
paths:
88
- '.github/workflows/*.yml'
99

10+
permissions: {}
11+
1012
jobs:
1113
actionlint:
1214
runs-on: ubuntu-latest
1315
steps:
1416
- uses: actions/checkout@v5
17+
with:
18+
persist-credentials: false
1519
- name: Check workflow files
1620
uses: docker://rhysd/actionlint:latest

.github/workflows/lint-shellcheck.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,4 +22,6 @@ jobs:
2222
steps:
2323
- run: shellcheck --version
2424
- uses: actions/checkout@v5
25+
with:
26+
persist-credentials: false
2527
- run: make lint-shellcheck

.github/workflows/linux.yml

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ jobs:
3535
steps:
3636
- name: Download Crystal source
3737
uses: actions/checkout@v5
38+
with:
39+
persist-credentials: false
3840

3941
- name: Prepare System
4042
run: bin/ci prepare_system
@@ -53,6 +55,8 @@ jobs:
5355
steps:
5456
- name: Download Crystal source
5557
uses: actions/checkout@v5
58+
with:
59+
persist-credentials: false
5660

5761
- name: Prepare System
5862
run: bin/ci prepare_system
@@ -71,6 +75,8 @@ jobs:
7175
steps:
7276
- name: Download Crystal source
7377
uses: actions/checkout@v5
78+
with:
79+
persist-credentials: false
7480

7581
- name: Prepare System
7682
run: bin/ci prepare_system
@@ -92,6 +98,8 @@ jobs:
9298
steps:
9399
- name: Download Crystal source
94100
uses: actions/checkout@v5
101+
with:
102+
persist-credentials: false
95103

96104
- name: Prepare System
97105
run: bin/ci prepare_system
@@ -108,6 +116,8 @@ jobs:
108116
steps:
109117
- name: Checkout Actions Repository
110118
uses: actions/checkout@v5
119+
with:
120+
persist-credentials: false
111121

112122
- name: Spell Check Repo
113123
uses: crate-ci/typos@80c8a4945eec0f6d464eaf9e65ed98ef085283d1 # v1.38.1
@@ -120,5 +130,7 @@ jobs:
120130
steps:
121131
- name: Download Crystal source
122132
uses: actions/checkout@v5
133+
with:
134+
persist-credentials: false
123135

124136
- run: ameba

.github/workflows/llvm.yml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -51,6 +51,8 @@ jobs:
5151
steps:
5252
- name: Checkout Crystal source
5353
uses: actions/checkout@v5
54+
with:
55+
persist-credentials: false
5456

5557
- name: Install LLVM ${{ matrix.llvm_version || 'Nightly' }}
5658
run: |

0 commit comments

Comments
 (0)