ci: fix GitHub Actions security issues found by zizmor

- Add persist-credentials: false to all actions/checkout steps
- Fix template injection by using env vars instead of ${{ }} in run blocks
- Convert ${{ env.* }} to shell env vars in run blocks
- Add cooldown configuration to dependabot

Fixes auto-fixable findings from zizmor v1.23.1 static analysis.
Remaining findings (secrets-outside-env, excessive-permissions,
secrets-inherit) require manual review and are tracked separately.

Related: #3300
Signed-off-by: Vincent Demeester <vdemeest@redhat.com>

Author: vdemeester

.github/dependabot.yml

@@ -10,6 +10,8 @@ updates:
     - "github_action"
     - "kind/misc"
     - "release-note-none"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "gomod" # See documentation for possible values
     directory: "/" # Location of package manifests
     schedule:
@@ -23,3 +25,5 @@ updates:
     - dependency-name: "k8s.io/*"
       update-types: ["version-update:semver-major", "version-update:semver-minor"]
     - dependency-name: "github.com/openshift/client-go"
+    cooldown:
+      default-days: 7

.github/workflows/bump-payload-on-main.yaml

@@ -13,6 +13,8 @@ jobs:
     if: github.repository_owner == 'tektoncd'  # do not run this elsewhere
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"

.github/workflows/bump-payload-on-releases.yaml

@@ -29,6 +29,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:
         ref: ${{ matrix.branch }}
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"
@@ -57,13 +58,15 @@ jobs:
           else
             echo "commit_message=chore: bump payload versions" >> $GITHUB_OUTPUT
             echo "pr_title=chore: bump payload versions" >> $GITHUB_OUTPUT
-            echo "pr_body=Automated component version bump for ${{ matrix.branch }}" >> $GITHUB_OUTPUT
+            echo "pr_body=Automated component version bump for ${MATRIX_BRANCH}" >> $GITHUB_OUTPUT
           fi
         else
           echo "commit_message=chore: bump payload versions" >> $GITHUB_OUTPUT
           echo "pr_title=chore: bump payload versions" >> $GITHUB_OUTPUT
-          echo "pr_body=Automated component version bump for ${{ matrix.branch }}" >> $GITHUB_OUTPUT
+          echo "pr_body=Automated component version bump for ${MATRIX_BRANCH}" >> $GITHUB_OUTPUT
         fi
+      env:
+        MATRIX_BRANCH: ${{ matrix.branch }}
     - name: clean up temporary files
       run: |
         rm -f bump-output.txt commit-message.txt pr-body.txt

.github/workflows/ci.yaml

@@ -33,10 +33,11 @@ jobs:
       with:
         ref: ${{ github.event.pull_request.head.sha }}
         fetch-depth: ${{ steps.base-depth.outputs.base-depth }}
+        persist-credentials: false
     - name: detect
       id: detect
       run: |
-        git fetch origin ${{ github.base_ref }}
+        git fetch origin ${GITHUB_BASE_REF}
 
         # Store git diff command for reuse
         GIT_DIFF_CMD="git diff --name-only ${{ github.event.pull_request.base.sha }}...${{ github.event.pull_request.head.sha }}"
@@ -71,6 +72,8 @@ jobs:
     if: ${{ needs.changes.outputs.non-docs == 'true' }}
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"
@@ -85,6 +88,7 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
       with:
         fetch-depth: 0
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"
@@ -118,6 +122,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"
@@ -130,6 +136,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"
@@ -142,6 +150,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"
@@ -171,12 +181,12 @@ jobs:
     - name: Check CI results
       run: |
         results=(
-          "build=${{ needs.build.result }}"
-          "linting=${{ needs.linting.result }}"
-          "tests=${{ needs.tests.result }}"
-          "generated=${{ needs.generated.result }}"
-          "multi-arch-build=${{ needs.multi-arch-build.result }}"
-          "e2e-tests=${{ needs.e2e-tests.result }}"
+          "build=${NEEDS_BUILD_RESULT}"
+          "linting=${NEEDS_LINTING_RESULT}"
+          "tests=${NEEDS_TESTS_RESULT}"
+          "generated=${NEEDS_GENERATED_RESULT}"
+          "multi-arch-build=${NEEDS_MULTI_ARCH_BUILD_RESULT}"
+          "e2e-tests=${NEEDS_E2E_TESTS_RESULT}"
         )
         failed=0
         for r in "${results[@]}"; do
@@ -192,3 +202,10 @@ jobs:
           echo "Some CI jobs failed or were cancelled"
           exit 1
         fi
+      env:
+        NEEDS_BUILD_RESULT: ${{ needs.build.result }}
+        NEEDS_LINTING_RESULT: ${{ needs.linting.result }}
+        NEEDS_TESTS_RESULT: ${{ needs.tests.result }}
+        NEEDS_GENERATED_RESULT: ${{ needs.generated.result }}
+        NEEDS_MULTI_ARCH_BUILD_RESULT: ${{ needs.multi-arch-build.result }}
+        NEEDS_E2E_TESTS_RESULT: ${{ needs.e2e-tests.result }}

.github/workflows/codeql-analysis.yml

@@ -41,6 +41,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/e2e-matrix.yml

@@ -34,6 +34,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0
       with:
         go-version-file: "go.mod"
@@ -76,8 +78,8 @@ jobs:
     - name: Dump Artifacts
       if: ${{ failure() }}
       run: |
-        if [[ -d ${{ env.ARTIFACTS }} ]]; then
-          cd ${{ env.ARTIFACTS }}
+        if [[ -d ${ARTIFACTS} ]]; then
+          cd ${ARTIFACTS}
           for x in $(find . -type f); do
             echo "::group:: artifact $x"
             cat $x

.github/workflows/go-coverage.yml

@@ -40,6 +40,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           path: ${{ github.workspace }}/src/github.com/tektoncd/operator
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c  # v6.4.0

.github/workflows/helm-release.yaml

@@ -15,6 +15,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |

.github/workflows/update-tektoncd-task-versions.yml

@@ -17,6 +17,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Clone TektonCD Catalog (p branch)
         run: |