FIx Zizmor issues

Author: KevinMind

.github/actions/context/action.yml

@@ -65,19 +65,21 @@ runs:
       env:
         # The default branch of the repository, in this case "master"
         default_branch: ${{ github.event.repository.default_branch }}
+        event_name: ${{ github.event_name }}
+        event_action: ${{ github.event.action }}
+        ref_name: ${{ github.ref_name }}
+        head_ref: ${{ github.head_ref }}
+        release_tag_name: ${{ github.event.release.tag_name }}
       shell: bash
       run: |
-        event_name="${{ github.event_name }}"
-        event_action="${{ github.event.action }}"
-
         # Stable check for if the workflow is running on the default branch
         # https://stackoverflow.com/questions/64781462/github-actions-default-branch-variable
         is_default_branch="${{ format('refs/heads/{0}', env.default_branch) == github.ref }}"
 
         # In most events, the epository refers to the head which would be the fork
         is_fork="${{ github.event.repository.fork }}"
         # Default version is the branch name
-        docker_version="${{ github.ref_name }}"
+        docker_version="${ref_name}"
 
         # This is different in a pull_request where we need to check the head explicitly
         if [[ "${{ github.event_name }}" == 'pull_request' ]]; then
@@ -87,7 +89,7 @@ runs:
           is_dependabot="${{ github.actor == 'dependabot[bot]' }}"
 
           # For PRs we need to reference the head branch
-          docker_version="${{ github.head_ref }}"
+          docker_version="${head_ref}"
 
           # If the head repository is a fork or if the PR is opened by dependabot
           # we consider the run to be a fork. Dependabot and proper forks are treated
@@ -115,7 +117,7 @@ runs:
             is_release_tag="true"
 
             # If we are releasing a tag, we tag the docker version as the git tag
-            docker_version="${{ github.event.release.tag_name }}"
+            docker_version="${release_tag_name}"
           fi
         fi
 
@@ -128,4 +130,4 @@ runs:
         echo "git_sha=${{ github.sha }}" >> $GITHUB_OUTPUT
 
         echo "event_name: $event_name"
-        cat $GITHUB_OUTPUT
+        cat "${GITHUB_OUTPUT}"

.github/actions/pr-comment/action.yml

@@ -33,15 +33,16 @@ runs:
       shell: bash
       env:
         GH_TOKEN: ${{ inputs.github_token }}
+        repo: ${{ inputs.repo }}
+        pr_number: ${{ inputs.pr }}
+        edit_last: ${{ inputs.edit_last }}
+        body: ${{ inputs.body }}
       run: |
         # --- Input variables ---
-        repo="${{ inputs.repo }}"
-        pr_number="${{ inputs.pr }}"
-        edit_last="${{ inputs.edit_last }}"
         tmp_file=$(mktemp)
 
         cat <<'EOF' > "$tmp_file"
-        ${{ inputs.body }}
+        ${body}
         EOF
 
         args="--repo ${repo} --body-file $tmp_file --create-if-none"

.github/workflows/ci.yml

@@ -11,6 +11,8 @@ on:
 env:
   SLACK_CHANNEL: ${{ vars.SLACK_CHANNEL_TEST }}
 
+permissions: {}
+
 jobs:
   test_actions:
     permissions:
@@ -31,6 +33,8 @@ jobs:
         run: make ${{ matrix.target }}
 
   slack_action_payload:
+    permissions:
+        contents: 'read'
     runs-on: ubuntu-latest
     name: Test Slack Action ${{ matrix.name }}
     strategy:
@@ -110,6 +114,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Slack Action Payload
         id: slack
@@ -164,6 +170,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: "Test Slack Action: ${{ matrix.name }}"
         id: slack
@@ -173,7 +181,7 @@ jobs:
           # We explicitly don't pass the slack token so that we can test
           # If the action actually attempts to send a message. This would
           # fail and we can assert that an attempt was made to send the message.
-          # slack_token: ${{ secrets.SLACK_BOT_TOKEN }}
+          slack_token: ''
           payload: |
             channel: ${{ vars.SLACK_CHANNEL_TEST }}
             text: "Dry run is '${{ matrix.dry_run }}'"
@@ -270,6 +278,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Slack Workflow Notification
         uses: ./.github/actions/slack-workflow-notification

.github/workflows/docs.yml

@@ -11,9 +11,13 @@ on:
 env:
   docs_artifact: docs
 
+permissions: {}
+
 jobs:
   context:
     runs-on: ubuntu-latest
+    permissions:
+      contents: 'read'
 
     outputs:
       is_release_master: ${{ steps.context.outputs.is_release_master }}
@@ -22,14 +26,23 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - id: context
         uses: ./.github/actions/context
 
   docs_build:
+    permissions:
+      contents: 'read'
+      actions: 'write'
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python
         uses: actions/setup-python@v5

.github/workflows/stale.yml

@@ -9,6 +9,8 @@ on:
   schedule:
   - cron: '41 0 * * *'
 
+permissions: {}
+
 jobs:
   stale:
 
@@ -22,7 +24,7 @@ jobs:
         repo-token: ${{ secrets.GITHUB_TOKEN }}
         stale-issue-message: >
           This issue has been automatically marked as stale because it has not had
-          recent activity. If you think this bug should stay open, please comment on 
+          recent activity. If you think this bug should stay open, please comment on
           the issue with further details. Thank you for your contributions.
         stale-issue-label: 'state:stale'
         days-before-stale: 180