add: statically analyze CI workflows

2bndy5 · 2bndy5 · commit 3adc04cbb291 · 2025-09-07T07:28:56.000-07:00
resolves #6 - includes changes to satisfy warnings/errors raised by zizmor
diff --git a/.github/workflows/ci-check.yml b/.github/workflows/ci-check.yml
@@ -0,0 +1,26 @@
+on:
+  workflow_call:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions: {}
+
+jobs:
+  check-ci-workflows:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+          repository: ${{ github.repository }}
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5
+        with:
+          python-version: '3.x'
+      - name: Run zizmor
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: pipx run zizmor .github/workflows/*.yml
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -44,6 +44,8 @@ jobs:
     steps:
     - name: Checkout repository
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+      with:
+        persist-credentials: false
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [main]
 
+permissions: {}
+
 jobs:
   main:
     uses: ./.github/workflows/pre-commit.yml
diff --git a/.github/workflows/mkdocs.yml b/.github/workflows/mkdocs.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
       - name: Install dependencies
         run: uv sync --group docs
diff --git a/.github/workflows/pre-commit.yml b/.github/workflows/pre-commit.yml
@@ -22,7 +22,9 @@ jobs:
           python-version: '3.x'
       - name: Run commands
         if: inputs.commands
-        run: ${{ inputs.commands }}
+        run: ${INPUTS_COMMANDS}
+        env:
+          INPUTS_COMMANDS: ${{ inputs.commands }}
       - name: Cache pre-commit environments
         uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
         with:
diff --git a/.github/workflows/py-coverage.yml b/.github/workflows/py-coverage.yml
@@ -9,6 +9,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          persist-credentials: false
 
       - name: Download all artifacts
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 #v5
diff --git a/.github/workflows/py-publish.yml b/.github/workflows/py-publish.yml
@@ -17,6 +17,7 @@ jobs:
       # use fetch --all for setuptools_scm to work
       with:
         fetch-depth: 0
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5
       with:
@@ -37,14 +38,14 @@ jobs:
         subject-path: 'dist/*'
 
     - name: Publish package (to TestPyPI)
-      if: github.event_name == 'workflow_dispatch' && startsWith(github.repository, 'cpp-linter')
+      if: startsWith(github.repository, 'cpp-linter') && !startsWith(github.ref, 'refs/tags/')
       env:
         TWINE_USERNAME: __token__
         TWINE_PASSWORD: ${{ secrets.TEST_PYPI_TOKEN }}
       run: twine upload --repository testpypi dist/*
 
     - name: Publish package (to PyPI)
-      if: github.event_name != 'workflow_dispatch' && startsWith(github.repository, 'cpp-linter')
+      if: startsWith(github.repository, 'cpp-linter') && startsWith(github.ref, 'refs/tags/')
       env:
         TWINE_USERNAME: __token__
         TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
diff --git a/.github/workflows/snyk-container.yml b/.github/workflows/snyk-container.yml
@@ -8,6 +8,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+      with:
+        persist-credentials: false
     - name: Run Snyk to check Docker image for vulnerabilities
       continue-on-error: true
       uses: snyk/actions/docker@b98d498629f1c368650224d6d212bf7dfa89e4bf #v0.4.0
diff --git a/.github/workflows/sphinx.yml b/.github/workflows/sphinx.yml
@@ -14,13 +14,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5
+        with:
+          persist-credentials: false
       - uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
 
       - name: Install dependencies
         run: uv sync --group docs
 
       - name: Build docs
-        run: uv run sphinx-build docs ${{ inputs.path-to-doc }}
+        run: uv run sphinx-build docs ${INPUTS_PATH_TO_DOC}
+        env:
+          INPUTS_PATH_TO_DOC: ${{ inputs.path-to-doc }}
 
       - name: Upload docs build as artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4
