workflows: fix zizmor findings (part 1) (#190)

Signed-off-by: Patrick Linnane <patrick@linnane.io>
author: Patrick Linnane <patrick@linnane.io> 2025-04-01 15:33:44 -0700
committer: GitHub <noreply@github.com> 2025-04-01 22:33:44 +0000
commit: fc237a16900362eac5395a424d88fe6381b4affa (patch)
tree: b8186904d5fa5764965ef4141fa341e75a3f1dab
parent: 6af7c5891fd8b459f24577e4e85add05f966840e (diff)
download: anubis-fc237a16900362eac5395a424d88fe6381b4affa.tar.xz
anubis-fc237a16900362eac5395a424d88fe6381b4affa.zip
5 files changed, 10 insertions, 1 deletions
diff --git a/.github/workflows/docker-pr.yml b/.github/workflows/docker-pr.yml
index b124f75..03539f7 100644
--- a/.github/workflows/docker-pr.yml
+++ b/.github/workflows/docker-pr.yml
@@ -19,6 +19,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
@@ -62,4 +63,6 @@ jobs:
 
       - run: |
           echo "Test this with:"
-          echo "docker pull ${{ steps.build.outputs.docker_image }}"
-\ No newline at end of file
+          echo "docker pull ${DOCKER_IMAGE}"
+        env:
+          DOCKER_IMAGE: ${{ steps.build.outputs.docker_image }}
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
index c3a532f..d094453 100644
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@@ -25,6 +25,7 @@ jobs:
         with:
           fetch-tags: true
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Homebrew
         uses: Homebrew/actions/setup-homebrew@master
diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml
index 1636c48..652351f 100644
--- a/.github/workflows/docs-deploy.yml
+++ b/.github/workflows/docs-deploy.yml
@@ -17,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/go.yml b/.github/workflows/go.yml
index 09b543a..3c333dd 100644
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -16,6 +16,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: build essential
       run: |
diff --git a/docs/docs/CHANGELOG.md b/docs/docs/CHANGELOG.md
index e55eaea..c40bc07 100644
--- a/docs/docs/CHANGELOG.md
+++ b/docs/docs/CHANGELOG.md
@@ -31,6 +31,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for passing the ed25519 signing key in a file with `-ed25519-private-key-hex-file` or `ED25519_PRIVATE_KEY_HEX_FILE`.
 - Fixed minor typos
 - Added `zizmor` for GitHub Actions static analysis
+- Fixed most `zizmor` findings
 
 ## v1.15.1
author	Patrick Linnane <patrick@linnane.io>	2025-04-01 15:33:44 -0700
committer	GitHub <noreply@github.com>	2025-04-01 22:33:44 +0000
commit	fc237a16900362eac5395a424d88fe6381b4affa (patch)
tree	b8186904d5fa5764965ef4141fa341e75a3f1dab
parent	6af7c5891fd8b459f24577e4e85add05f966840e (diff)
download	anubis-fc237a16900362eac5395a424d88fe6381b4affa.tar.xz anubis-fc237a16900362eac5395a424d88fe6381b4affa.zip