fix zizmor findings

crazy-max · crazy-max · commit a19629512d12 · 2026-03-27T10:31:21.000+01:00
Signed-off-by: CrazyMax &lt;1951866+crazy-max@users.noreply.github.com&gt;
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -5,6 +5,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
     labels:
       - "dependencies"
       - "bot"
@@ -13,6 +15,8 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
     versioning-strategy: "increase"
     allow:
       - dependency-type: "production"
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   push:
     branches:
@@ -24,7 +27,7 @@ jobs:
     steps:
       -
         name: Build
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
         with:
           targets: build
         env:
diff --git a/.github/workflows/buildx-lab-releases-json.yml b/.github/workflows/buildx-lab-releases-json.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -22,20 +25,22 @@ jobs:
       repository: docker/buildx-desktop
       artifact_name: buildx-lab-releases-json
       filename: buildx-lab-releases.json
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-24.04
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Download
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: buildx-lab-releases-json
           path: .github
diff --git a/.github/workflows/buildx-releases-json.yml b/.github/workflows/buildx-releases-json.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -22,20 +25,22 @@ jobs:
       repository: docker/buildx
       artifact_name: buildx-releases-json
       filename: buildx-releases.json
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-24.04
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Download
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: buildx-releases-json
           path: .github
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -7,40 +7,41 @@ on:
   pull_request:
 
 permissions:
-  actions: read
   contents: read
-  security-events: write
 
 env:
   NODE_VERSION: "24"
 
 jobs:
   analyze:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Enable corepack
         run: |
           corepack enable
           yarn --version
       -
         name: Set up Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       -
         name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           languages: javascript-typescript
       -
         name: Autobuild
-        uses: github/codeql-action/autobuild@v4
+        uses: github/codeql-action/autobuild@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
       -
         name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           category: "/language:javascript-typescript"
diff --git a/.github/workflows/compose-lab-releases-json.yml b/.github/workflows/compose-lab-releases-json.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -22,20 +25,22 @@ jobs:
       repository: docker/compose-desktop
       artifact_name: compose-lab-releases-json
       filename: compose-lab-releases.json
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-24.04
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Download
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: compose-lab-releases-json
           path: .github
diff --git a/.github/workflows/compose-releases-json.yml b/.github/workflows/compose-releases-json.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -22,20 +25,22 @@ jobs:
       repository: docker/compose
       artifact_name: compose-releases-json
       filename: compose-releases.json
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-24.04
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Download
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: compose-releases-json
           path: .github
diff --git a/.github/workflows/cosign-releases-json.yml b/.github/workflows/cosign-releases-json.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -22,20 +25,22 @@ jobs:
       repository: sigstore/cosign
       artifact_name: cosign-releases-json
       filename: cosign-releases.json
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-24.04
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Download
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: cosign-releases-json
           path: .github
diff --git a/.github/workflows/docker-releases-json.yml b/.github/workflows/docker-releases-json.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -25,20 +28,22 @@ jobs:
       tag_patterns: |
         ^docker-(.*)$
         ^(v.*)$
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-24.04
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Download
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: docker-releases-json
           path: .github
diff --git a/.github/workflows/pr-assign-author.yml b/.github/workflows/pr-assign-author.yml
@@ -4,7 +4,7 @@ permissions:
   contents: read
 
 on:
-  pull_request_target:
+  pull_request_target: # zizmor: ignore[dangerous-triggers] does not checkout, safe to use pull_request_target
     types:
       - opened
       - reopened
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,13 +1,12 @@
 name: publish
 
-permissions:
-  id-token: write # required for OIDC
-  contents: write # required to create GitHub Release
-
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   push:
     tags:
@@ -19,18 +18,21 @@ env:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # required for OIDC
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Enable corepack
         run: |
           corepack enable
           yarn --version
       -
         name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: 'yarn'
@@ -51,11 +53,3 @@ jobs:
         run: |
           npm version --no-git-tag-version ${GITHUB_REF#refs/tags/v}
           npm publish --provenance --access public
-      -
-        name: Create Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe  # v2.6.1
-        with:
-          draft: true
-          generate_release_notes: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/regclient-releases-json.yml b/.github/workflows/regclient-releases-json.yml
@@ -4,6 +4,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 on:
   workflow_dispatch:
   schedule:
@@ -22,20 +25,22 @@ jobs:
       repository: regclient/regclient
       artifact_name: regclient-releases-json
       filename: regclient-releases.json
-    secrets: inherit
 
   open-pr:
     runs-on: ubuntu-latest
     if: github.event_name != 'pull_request'
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - generate
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Download
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           name: regclient-releases-json
           path: .github
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
diff --git a/.github/workflows/undock-releases-json.yml b/.github/workflows/undock-releases-json.yml
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
diff --git a/.github/workflows/virtual-env.yml b/.github/workflows/virtual-env.yml
