Merge pull request #687 from fractal-analytics-platform/review-GHAs

Review GitHub Actions with zizmor 1.0.1

Author: tcompa

.github/workflows/documentation.yaml

@@ -14,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-python@v4
         with:

.github/workflows/end_to_end_tests.yaml

@@ -44,8 +44,9 @@ jobs:
           - 5556:5556
 
     steps:
-      - name: Check out repo
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up node
         uses: actions/setup-node@v4

.github/workflows/github_release.yaml

@@ -18,14 +18,14 @@ jobs:
         node-version: ['18', '20']
 
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up node
         uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node-version }}
-          cache: npm
 
       - name: Install dependencies
         run: npm install
@@ -40,9 +40,13 @@ jobs:
         run: tar -xzf fractal-web-*.tgz
 
       - name: Repack the package removing parent folder
-        run: tar -C package -czf node-${{ matrix.node-version }}-fractal-web-${{ github.ref_name }}.tar.gz build package.json node_modules LICENSE  
+        env:
+          GITHUB_REF_NAME: ${{ github.ref_name }}
+        run: tar -C package -czf "node-${{ matrix.node-version }}-fractal-web-${GITHUB_REF_NAME}.tar.gz" build package.json node_modules LICENSE  
 
       - name: Release
         uses: softprops/action-gh-release@v2
+        env:
+          GITHUB_REF_NAME: ${{ github.ref_name }}
         with:
-          files: node-${{ matrix.node-version }}-fractal-web-${{ github.ref_name }}.tar.gz
+          files: node-${{ matrix.node-version }}-fractal-web-${GITHUB_REF_NAME}.tar.gz

.github/workflows/lint_and_build.yaml

@@ -17,8 +17,9 @@ jobs:
         node-version: ['18', '20']
 
     steps:
-      - name: Check out repo
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up node
         uses: actions/setup-node@v4

.github/workflows/unit_tests.yaml

@@ -17,8 +17,9 @@ jobs:
         node-version: ['18', '20']
 
     steps:
-      - name: Check out repo
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up node
         uses: actions/setup-node@v4

CHANGELOG.md

@@ -1,5 +1,8 @@
 *Note: Numbers like (\#123) point to closed Pull Requests on the fractal-web repository.*
 
+# Unreleased
+* Fixed findings based on `zizmor 1.0.1` audit (\#687).
+
 # 1.14.0
 
 * Removed legacy version support (\#684);