fix zizmor issues (#602)

Signed-off-by: Bob Callaway <[email protected]>
sigstore · Dec 11, 2024 · cd3380f · cd3380f
1 parent cefb1c4
commit cd3380f
Show file tree

Hide file tree

Showing 5 changed files with 28 additions and 15 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -13,11 +13,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: "1.23"
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: Build

diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -30,11 +30,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: "1.23"
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: Get test OIDC token

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,23 +6,23 @@ on:
     tags:
       - 'v*'
 
-permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for push images
-  attestations: write
-
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for push images
+      attestations: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
+          persist-credentials: false
 
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
@@ -52,13 +52,14 @@ jobs:
       - name: get the digest
         id: digest
         run: |
-          digest=$(crane digest ghcr.io/sigstore/gitsign:${{ env.RELEASE_VERSION }})
+          digest=$(crane digest ghcr.io/sigstore/gitsign:${RELEASE_VERSION})
           echo "digest=${digest}" >> "$GITHUB_OUTPUT"
 
       - name: sign image
         run: |
-          cosign sign "ghcr.io/sigstore/gitsign@${{ steps.digest.outputs.digest }}"
+          cosign sign "ghcr.io/sigstore/gitsign@${DIGEST_TO_SIGN}"
         env:
+          DIGEST_TO_SIGN: ${{ steps.digest.outputs.digest }}
           COSIGN_YES: true
 
       - name: Generate build provenance attestation

diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
@@ -12,10 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0

diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
@@ -15,9 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
       - name: Install addlicense
         run: go install github.com/google/[email protected]
@@ -36,9 +38,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
@@ -51,9 +55,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
       - name: Check CLI docs are up to date
         run: ./hack/presubmit.sh