From d0728b8a51c459bae3935c72cfc4e9ec4c170a84 Mon Sep 17 00:00:00 2001
From: Bob Callaway <bcallaway@google.com>
Date: Wed, 11 Dec 2024 09:08:46 -0500
Subject: [PATCH] fix zizmor issues

Signed-off-by: Bob Callaway <bcallaway@google.com>
---
 .github/workflows/ci.yaml              |  4 +++-
 .github/workflows/e2e.yaml             |  4 +++-
 .github/workflows/release.yml          | 19 ++++++++++---------
 .github/workflows/validate-release.yml |  4 +++-
 .github/workflows/verify.yml           | 12 +++++++++---
 5 files changed, 28 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
index a0b9509b..4fb264cc 100644
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -13,11 +13,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: "1.23"
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: Build
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
index bd5a8d2a..a55ff31a 100644
--- a/.github/workflows/e2e.yaml
+++ b/.github/workflows/e2e.yaml
@@ -30,11 +30,13 @@ jobs:
 
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Set up Go
         uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: "1.23"
+          go-version-file: 'go.mod'
           check-latest: true
 
       - name: Get test OIDC token
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1031b8b8..00d51035 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,23 +6,23 @@ on:
     tags:
       - 'v*'
 
-permissions:
-  contents: write # needed to write releases
-  id-token: write # needed for keyless signing
-  packages: write # needed for push images
-  attestations: write
-
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # needed to write releases
+      id-token: write # needed for keyless signing
+      packages: write # needed for push images
+      attestations: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0 # this is important, otherwise it won't checkout the full tree (i.e. no previous tags)
+          persist-credentials: false
 
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
@@ -52,13 +52,14 @@ jobs:
       - name: get the digest
         id: digest
         run: |
-          digest=$(crane digest ghcr.io/sigstore/gitsign:${{ env.RELEASE_VERSION }})
+          digest=$(crane digest ghcr.io/sigstore/gitsign:${RELEASE_VERSION})
           echo "digest=${digest}" >> "$GITHUB_OUTPUT"
 
       - name: sign image
         run: |
-          cosign sign "ghcr.io/sigstore/gitsign@${{ steps.digest.outputs.digest }}"
+          cosign sign "ghcr.io/sigstore/gitsign@${DIGEST_TO_SIGN}"
         env:
+          DIGEST_TO_SIGN: ${{ steps.digest.outputs.digest }}
           COSIGN_YES: true
 
       - name: Generate build provenance attestation
diff --git a/.github/workflows/validate-release.yml b/.github/workflows/validate-release.yml
index c07ff872..57e0f054 100644
--- a/.github/workflows/validate-release.yml
+++ b/.github/workflows/validate-release.yml
@@ -12,10 +12,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
 
       - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml
index 56e3b061..05092b08 100644
--- a/.github/workflows/verify.yml
+++ b/.github/workflows/verify.yml
@@ -15,9 +15,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
       - name: Install addlicense
         run: go install github.com/google/addlicense@v1.0.0
@@ -36,9 +38,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
       - name: golangci-lint
         uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8 # v6.1.1
@@ -51,9 +55,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
         with:
-          go-version: '1.23'
+          go-version-file: 'go.mod'
           check-latest: true
       - name: Check CLI docs are up to date
         run: ./hack/presubmit.sh