ci: fix zizmore findings

rjaegers · rjaegers · commit 921e1df0a023 · 2025-10-15T14:54:04.000Z
diff --git a/.github/instructions/workflows.instructions.md b/.github/instructions/workflows.instructions.md
@@ -8,5 +8,6 @@ When writing GitHub Action workflows, ensure that:
 
 - Workflows that have a workflow_call trigger have their filename prefixed with `wc-`.
 - For all re-usable workflows, only the top-level workflow (workflows that are not called themselves by other workflows with workflow_call) has defaults and descriptions for inputs to avoid duplication.
+- All workflows and action definitions have a name that is descriptive and concise, using emoji where appropriate.
 - The sorting order for inputs, secrets, and outputs is alphabetical.
 - The sorting order of other keys is consistent across the repository.
diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml
@@ -9,7 +9,8 @@ on:
 permissions: {}
 
 jobs:
-  delete-images:
+  cleanup-images:
+    name: 🧹 Clean Images
     runs-on: ubuntu-latest
     permissions:
       # dataaxiom/ghcr-cleanup-action needs packages write permission
diff --git a/.github/workflows/issue-cleanup.yml b/.github/workflows/issue-cleanup.yml
@@ -9,6 +9,7 @@ permissions: {}
 
 jobs:
   close-issues:
+    name: ♻️ Close Stale Issues & PRs
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/linting-formatting.yml b/.github/workflows/linting-formatting.yml
@@ -19,6 +19,7 @@ permissions:
 
 jobs:
   linter:
+    name: 🧹 Lint & Format
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -13,6 +13,7 @@ permissions: read-all
 
 jobs:
   ossf-scorecard:
+    name: 🛡️ OpenSSF Scorecard
     runs-on: ubuntu-latest
     permissions:
       security-events: write
diff --git a/.github/workflows/pr-conventional-title.yml b/.github/workflows/pr-conventional-title.yml
@@ -12,6 +12,7 @@ permissions: {}
 
 jobs:
   validate-pr-title:
+    name: ✅ Validate PR Title
     runs-on: ubuntu-latest
     permissions:
       pull-requests: write
diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml
@@ -9,6 +9,7 @@ permissions: {}
 
 jobs:
   delete-images:
+    name: 🗑️ Delete PR Images
     runs-on: ubuntu-latest
     permissions:
       packages: write
@@ -22,6 +23,7 @@ jobs:
           delete-tags: pr-${{ github.event.pull_request.number }}
           packages: amp-devcontainer,amp-devcontainer-cpp,amp-devcontainer-rust
   cleanup-cache:
+    name: 🧹 Cleanup Cache
     runs-on: ubuntu-latest
     permissions:
       # actions: write permission is required to delete the cache
diff --git a/.github/workflows/pr-report.yml b/.github/workflows/pr-report.yml
@@ -9,6 +9,7 @@ permissions: {}
 
 jobs:
   add-pr-report:
+    name: 📊 Add PR Report
     permissions:
       contents: read
       checks: read
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -42,6 +42,7 @@ jobs:
       acceptance-test-path: ${{ matrix.flavor == 'cpp' && 'test/cpp/features' || '' }}
       test-devcontainer-file: ${{ matrix.flavor == 'cpp' && '.devcontainer/cpp-test/devcontainer.json' || '' }}
   apply-release-notes-template:
+    name: 📝 Apply Release Template
     runs-on: ubuntu-latest
     permissions:
       # `contents: write` is needed to modify a release.
@@ -68,6 +69,7 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           REF_NAME: ${{ github.ref_name }}
   update-release-notes:
+    name: Update Release Notes (🍨 ${{ matrix.flavor }})
     strategy:
       matrix:
         flavor: [cpp, rust]
@@ -119,6 +121,7 @@ jobs:
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
   upload-documents:
+    name: 📄 Upload Documents
     runs-on: ubuntu-latest
     permissions:
       # `contents: write` is needed to modify a release.
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -14,6 +14,7 @@ permissions:
 
 jobs:
   create-release:
+    name: 🚀 Create Release
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
diff --git a/.github/workflows/social-interaction.yml b/.github/workflows/social-interaction.yml
@@ -11,6 +11,7 @@ permissions: {}
 
 jobs:
   greeting:
+    name: 👋 First Interaction Greeting
     runs-on: ubuntu-latest
     permissions:
       issues: write
diff --git a/.github/workflows/update-dependencies.yml b/.github/workflows/update-dependencies.yml
@@ -10,6 +10,7 @@ permissions: {}
 
 jobs:
   update-apt-dependencies:
+    name: Update APT Dependencies (🍨 ${{ matrix.flavor }})
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -45,6 +46,7 @@ jobs:
           token: ${{ steps.token.outputs.token }}
           sign-commits: true
   update-vscode-extensions:
+    name: Update VS Code Extensions (🍨 ${{ matrix.flavor }}, ${{ matrix.file }})
     runs-on: ubuntu-latest
     strategy:
       matrix:
diff --git a/.github/workflows/vulnerability-scan.yml b/.github/workflows/vulnerability-scan.yml
@@ -10,6 +10,7 @@ permissions: {}
 
 jobs:
   vulnerability-scan:
+    name: 🛡️ Vulnerability Scan (🍨 ${{ matrix.flavor }})
     runs-on: ubuntu-latest
     strategy:
       matrix:
diff --git a/.github/workflows/wc-acceptance-test.yml b/.github/workflows/wc-acceptance-test.yml
@@ -32,6 +32,7 @@ permissions:
 
 jobs:
   test:
+    name: 🧪 Acceptance Test
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
diff --git a/.github/workflows/wc-build-push-test.yml b/.github/workflows/wc-build-push-test.yml
@@ -71,6 +71,7 @@ permissions: {}
 
 jobs:
   build-push:
+    name: 🛠️ Build → Push
     uses: ./.github/workflows/wc-build-push.yml
     permissions:
       actions: read
@@ -91,6 +92,7 @@ jobs:
       build-test-runner-labels: ${{ inputs.build-test-runner-labels }}
 
   integration-test:
+    name: 🧪 Integration Test (${{ matrix.runner }})
     if: ${{ inputs.integration-test-file }}
     strategy:
       matrix:
@@ -107,6 +109,7 @@ jobs:
       runner-labels: ${{ matrix.runner }}
 
   acceptance-test:
+    name: 🧪 Acceptance Test
     if: ${{ inputs.test-devcontainer-file && inputs.acceptance-test-path }}
     needs: build-push
     uses: ./.github/workflows/wc-acceptance-test.yml
diff --git a/.github/workflows/wc-build-push.yml b/.github/workflows/wc-build-push.yml
@@ -49,13 +49,15 @@ permissions: {}
 
 jobs:
   sanitize-image-name:
+    name: 🧼 Sanitize Image Name
     uses: ./.github/workflows/wc-sanitize-image-name.yml
     with:
       image-name: ${{ inputs.image-name }}
       registry: ${{ inputs.registry }}
       runner-labels: ${{ inputs.runner-labels }}
 
   build-push:
+    name: 🛠️ Build → Push (${ { matrix.runner }})
     strategy:
       matrix:
         runner: ${{ (startsWith(inputs.build-test-runner-labels, '[') && endsWith(inputs.build-test-runner-labels, ']')) && fromJson(inputs.build-test-runner-labels) || inputs.build-test-runner-labels }}
@@ -134,6 +136,7 @@ jobs:
           retention-days: 1
 
   merge-image:
+    name: 🔗 Merge Image & Publish Digest
     # Support either a plain single label (e.g. ubuntu-latest) OR a JSON array of labels.
     # If the input starts & ends with brackets we attempt JSON parsing; otherwise we pass the raw string.
     runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
diff --git a/.github/workflows/wc-dependency-review.yml b/.github/workflows/wc-dependency-review.yml
@@ -14,6 +14,7 @@ permissions: {}
 
 jobs:
   dependency-review:
+    name: 🔍 Dependency Review
     runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
     permissions:
       contents: read
diff --git a/.github/workflows/wc-document-generation.yml b/.github/workflows/wc-document-generation.yml
@@ -8,6 +8,7 @@ permissions: {}
 
 jobs:
   generate-documents:
+    name: 📄 Generate Documents
     runs-on: ubuntu-latest
     permissions:
       contents: read
diff --git a/.github/workflows/wc-integration-test.yml b/.github/workflows/wc-integration-test.yml
@@ -35,6 +35,7 @@ permissions: {}
 
 jobs:
   run-test:
+    name: 🧪 Integration Test
     runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
     container:
       image: ${{ inputs.fully-qualified-image-name }}@${{ inputs.image-digest }}
diff --git a/.github/workflows/wc-sanitize-image-name.yml b/.github/workflows/wc-sanitize-image-name.yml
@@ -28,6 +28,7 @@ permissions: {}
 
 jobs:
   sanitize:
+    name: 🧼 Sanitize Image Name
     runs-on: ${{ (startsWith(inputs.runner-labels, '[') && endsWith(inputs.runner-labels, ']')) && fromJson(inputs.runner-labels) || inputs.runner-labels }}
     outputs:
       image-basename: ${{ steps.sanitize-image-name.outputs.sanitized-basename }}
