addressing zizmor findings

AlexanderBarabanov · AlexanderBarabanov · commit 8994dc801cf7 · 2025-06-24T10:26:42.000+01:00
Signed-off-by: Barabanov &lt;alexander.barabanov@intel.com&gt;
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -1,5 +1,5 @@
 name: Build Docs
-permissions: read-all
+permissions: { } # No permissions by default on workflow level
 
 on:
   workflow_dispatch: # run on request (no need for PR)
@@ -14,20 +14,29 @@ jobs:
       contents: write
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.10"
       - name: Install dependencies
         run: pip install 'src/python/.[docs]'
       - name: Install and Generate Doxygen
-        uses: mattnotmitt/doxygen-action@v1.12.0
+        uses: mattnotmitt/doxygen-action@b84fe17600245bb5db3d6c247cc274ea98c15a3b # v1.12.0
       - name: Build Docs
         run: |
           cd docs
           make html
+      - name: Branch name
+        id: branch_name
+        shell: bash
+        run: |
+          echo ::set-output name=SOURCE_NAME::${GITHUB_REF#refs/*/}
       - name: Create gh-pages branch
+        env:
+          SOURCE: ${{steps.branch_name.outputs.SOURCE_NAME}}
         run: |
           if [[ ${{github.event_name}} == 'workflow_dispatch' ]]; then
             echo RELEASE_VERSION="test_build" >> $GITHUB_ENV
@@ -52,7 +61,7 @@ jobs:
             git add .nojekyll
             git commit -m "Initializing gh-pages branch"
             git push origin gh-pages
-            git checkout ${{steps.branch_name.outputs.SOURCE_NAME}}
+            git checkout "${SOURCE}"
             echo "Created gh-pages branch"
           else
             echo "Branch gh-pages already exists"
@@ -77,7 +86,7 @@ jobs:
           git add index.html
           git commit -m "Update documentation" -a || true
       - name: Push changes
-        uses: ad-m/github-push-action@master
+        uses: ad-m/github-push-action@77c5b412c50b723d2a4fbc6d71fb5723bcd439aa
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           branch: gh-pages
diff --git a/.github/workflows/pr-labeler.yml b/.github/workflows/pr-labeler.yml
@@ -1,7 +1,12 @@
+#####
+# This workflow is triggered by pull_request_target event.
+# Never checkout the PR and run ANY local code on it.
+#####
+
 name: "Pull Request Labeler"
-permissions: read-all
+permissions: {} # No permissions by default on workflow level
 on:
-  - pull_request_target
+  - pull_request_target # zizmor: ignore[dangerous-triggers]
 
 jobs:
   labeler:
@@ -10,6 +15,6 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v5
+      - uses: actions/labeler@8558fd74291d67161a8a78ce36a881fa63b766a9 # v5.0.0
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/.github/workflows/pre_commit.yml b/.github/workflows/pre_commit.yml
@@ -1,5 +1,5 @@
 name: Pre-Commit Checks
-permissions: read-all
+permissions: { } # No permissions by default on workflow level
 
 on:
   push:
@@ -18,13 +18,15 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: CHECKOUT REPOSITORY
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.10"
       - name: Set up Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: 22
       - name: Install clang-format
@@ -37,9 +39,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: CHECKOUT REPOSITORY
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.9"
       - name: Install dependencies
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -5,18 +5,19 @@ on:
   release:
     types: [published]
 
-# Declare default permissions as read only.
-permissions: read-all
+permissions: { } # No permissions by default on workflow level
 
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python 3.10
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.10"
       - name: Install pypa/build
@@ -25,14 +26,14 @@ jobs:
       - name: Build sdist
         run: |
           python -m build --sdist src/python/
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: artifact-sdist
           path: src/python/dist/*.tar.gz
       - name: Build wheel
         run: |
           python -m build --wheel src/python/
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: artifact-wheel
           path: src/python/dist/*.whl
@@ -43,9 +44,8 @@ jobs:
     environment: pypi
     runs-on: ubuntu-latest
     permissions:
-      packages: write
-      contents: write
-      id-token: write
+      contents: write # required by svenstaro/upload-release-action
+      id-token: write # required by trusted publisher
     steps:
       - name: Download artifacts
         uses: actions/download-artifact@v4
@@ -56,13 +56,13 @@ jobs:
       # to determine where to publish the package distribution to PyPI or TestPyPI
       - name: Check tag
         id: check-tag
-        uses: actions-ecosystem/action-regex-match@v2
+        uses: actions-ecosystem/action-regex-match@9e6c4fb3d5e898f505be7a1fb6e7b0a278f6665b # v2.0.2
         with:
           text: ${{ github.ref }}
           regex: '^refs/tags/[0-9]+\.[0-9]+\.[0-9]+(\.[0-9]+)+(\.[0-9]+rc[0-9]+|rc[0-9]+)?$'
       - name: Upload package distributions to github
         if: ${{ steps.check-tag.outputs.match != '' }}
-        uses: svenstaro/upload-release-action@04733e069f2d7f7f0b4aebc4fbdbce8613b03ccd # v2
+        uses: svenstaro/upload-release-action@ebd922b779f285dafcac6410a0710daee9c12b82 # v2.10.0
         with:
           repo_token: ${{ secrets.GITHUB_TOKEN }}
           file: dist/*
diff --git a/.github/workflows/test_accuracy.yml b/.github/workflows/test_accuracy.yml
@@ -1,5 +1,5 @@
 name: test_accuracy
-permissions: read-all
+permissions: { } # No permissions by default on workflow level
 on:
   pull_request:
   merge_group:
@@ -12,8 +12,10 @@ jobs:
   test_accuracy:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.12"
           cache: pip
diff --git a/.github/workflows/test_precommit.yml b/.github/workflows/test_precommit.yml
@@ -1,5 +1,5 @@
 name: test_precommit
-permissions: read-all
+permissions: { } # No permissions by default on workflow level
 on:
   pull_request:
   merge_group:
@@ -13,9 +13,11 @@ jobs:
     runs-on: ubuntu-22.04
     steps:
       - name: CHECKOUT REPOSITORY
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.9
           cache: pip
@@ -40,18 +42,22 @@ jobs:
     name: CPP-Code-Quality
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: cppcheck
-        uses: chmorgan/cppcheck-action@main
+        uses: chmorgan/cppcheck-action@88696b3fd4a3ced3df76a2f7dc44b251d8232bcb # v1.4
         with:
           github_token: ${{ secrets.GITHUB_TOKEN}}
           # missingInclude: cppcheck can't find stl, openvino, opencv
           other_options: --suppress=missingInclude -Isrc/cpp/models/include -Isrc/cpp/utils/include -Isrc/cpp/pipelines/include --check-config
   CPP-Precommit:
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: "3.10"
           cache: pip
@@ -83,8 +89,10 @@ jobs:
   CPP-Windows-Precommit:
     runs-on: windows-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: 3.9
           cache: pip
@@ -138,8 +146,10 @@ jobs:
         run: |
           brew install colima docker
           colima start
-      - uses: actions/checkout@v3
-      - uses: actions/setup-python@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
         with:
           python-version: ${{ matrix.python-version }}
           cache: pip
