Merge pull request #391 from crazy-max/zizmor

ci: zizmor workflow

Author: crazy-max

.github/dependabot.yml

@@ -5,6 +5,12 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 2
+    groups:
+      crazy-max-dot-github:
+        patterns:
+          - "crazy-max/.github/*"
     labels:
       - "area/dependencies"
       - "bot"

.github/workflows/.build.yml

@@ -1,6 +1,9 @@
 # reusable workflow
 name: .build
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     inputs:
@@ -16,6 +19,17 @@ on:
       distros:
         required: false
         type: string
+    secrets:
+      rh_user:
+        required: false
+      rh_pass:
+        required: false
+      dockerpublicbot_username:
+        required: false
+      dockerpublicbot_write_pat:
+        required: false
+      ghtoken:
+        required: false
 
 env:
   REPO_SLUG: dockereng/packaging
@@ -30,11 +44,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Matrix
         id: matrix
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           INPUT_NAME: ${{ inputs.name }}
           INPUT_RELEASE: ${{ inputs.release }}
@@ -109,61 +123,63 @@ jobs:
     timeout-minutes: 60
     needs:
       - prepare
+    env:
+      INPUT_ENVS: ${{ inputs.envs }}
+      INPUT_NAME: ${{ inputs.name }}
     strategy:
       fail-fast: false
       matrix:
         include: ${{ fromJson(needs.prepare.outputs.includes) }}
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Environment variables
         run: |
-          for l in "${{ inputs.envs }}"; do
-            echo "${l?}" >> $GITHUB_ENV
-          done
+          if [ -n "$INPUT_ENVS" ]; then
+            printf '%s\n' "$INPUT_ENVS" >> "$GITHUB_ENV"
+          fi
       -
         name: Prepare
-        # Set platform pair for artifact upload
         run: |
           platform=${{ matrix.platform }}
           echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
       -
         name: Set up QEMU
-        uses: docker/setup-qemu-action@v4
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: latest
       -
         name: Build
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
         with:
           source: .
           targets: pkg-${{ inputs.name }}-${{ matrix.distro }}
           set: |
             *.platform=${{ matrix.platform }}
         env:
-          RH_USER: ${{ secrets.RH_USER }}
-          RH_PASS: ${{ secrets.RH_PASS }}
+          RH_USER: ${{ secrets.rh_user }}
+          RH_PASS: ${{ secrets.rh_pass }}
       -
         name: List artifacts
         run: |
-          tree -nh ./bin/pkg/${{ inputs.name }}
+          tree -nh "./bin/pkg/${INPUT_NAME}"
       -
         name: Verify
         if: ${{ matrix.verify }}
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
         with:
           source: .
           targets: verify-${{ inputs.name }}-${{ matrix.distro }}
           set: |
             *.platform=${{ matrix.platform }}
       -
         name: Upload artifacts
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: build-pkg-${{ inputs.name }}-${{ matrix.distro }}-${{ env.PLATFORM_PAIR }}
           path: ./bin/pkg/${{ inputs.name }}/*
@@ -175,55 +191,58 @@ jobs:
     timeout-minutes: 10
     needs:
       - build
+    env:
+      INPUT_ENVS: ${{ inputs.envs }}
+      INPUT_NAME: ${{ inputs.name }}
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Environment variables
         run: |
-          for l in "${{ inputs.envs }}"; do
-            echo "${l?}" >> $GITHUB_ENV
-          done
+          if [ -n "$INPUT_ENVS" ]; then
+            printf '%s\n' "$INPUT_ENVS" >> "$GITHUB_ENV"
+          fi
       -
         name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
         with:
           version: latest
       -
         name: Download artifacts
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
         with:
           path: ./bin/pkg/${{ inputs.name }}
           pattern: build-pkg-${{ inputs.name }}-*
           merge-multiple: true
       -
         name: List artifacts
         run: |
-          tree -nh ./bin/pkg/${{ inputs.name }}
+          tree -nh "./bin/pkg/${INPUT_NAME}"
       -
         name: Generate metadata
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
         with:
           source: .
           targets: metadata-${{ inputs.name }}
           provenance: false
       -
         name: Resolve metadata
         run: |
-          for l in $(cat ./bin/pkg/${{ inputs.name }}/metadata.env); do
+          while IFS= read -r l; do
             export "${l?}"
-            echo "${l?}" >> $GITHUB_ENV
-          done
+            printf '%s\n' "${l?}" >> "$GITHUB_ENV"
+          done < "./bin/pkg/${INPUT_NAME}/metadata.env"
           if [ "${{ github.event_name }}" = "schedule" ]; then
-            echo "GIT_TAG=nightly/${{ inputs.name }}/$VERSION" >> $GITHUB_ENV
+            echo "GIT_TAG=nightly/${INPUT_NAME}/$VERSION" >> "$GITHUB_ENV"
           else
-            echo "GIT_TAG=${{ inputs.name }}/$VERSION" >> $GITHUB_ENV
+            echo "GIT_TAG=${INPUT_NAME}/$VERSION" >> "$GITHUB_ENV"
           fi
       -
         name: Docker meta
         id: meta
-        uses: docker/metadata-action@v6
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
         with:
           images: |
             ${{ env.REPO_SLUG }}
@@ -238,15 +257,15 @@ jobs:
           bake-target: meta-helper
       -
         name: Login to Docker Hub
-        uses: docker/login-action@v4
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
         if: ${{ inputs.release || github.event_name == 'schedule' }}
         with:
-          username: ${{ secrets.DOCKERPUBLICBOT_USERNAME }}
-          password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
+          username: ${{ secrets.dockerpublicbot_username }}
+          password: ${{ secrets.dockerpublicbot_write_pat }}
       -
         name: Build release
         id: build
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
         with:
           source: .
           files: |
@@ -262,7 +281,7 @@ jobs:
         name: List release artifacts
         run: |
           mkdir -p /tmp/release-squashed
-          cp ./bin/pkg/${{ inputs.name }}/metadata.env /tmp/release-squashed/
+          cp "./bin/pkg/${INPUT_NAME}/metadata.env" /tmp/release-squashed/
           find /tmp/release -mindepth 2 -maxdepth 2 ! -name metadata.env -exec cp -r -t /tmp/release-squashed {} +
           tree -nh /tmp/release-squashed | tee /tmp/packages.txt
           rm -rf /tmp/release-squashed
@@ -284,7 +303,7 @@ jobs:
           * commit: [\`${COMMIT}\`](${REPO}/commit/${COMMIT})
           EOF
 
-          if [ "${{ inputs.name }}" = "containerd" ]; then
+          if [ "$INPUT_NAME" = "containerd" ]; then
             cat >> "/tmp/summary.txt" <<-EOF
           * runc
             * repo: ${RUNC_REPO}
@@ -315,7 +334,7 @@ jobs:
           EOF
       -
         name: Set outputs
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         id: release-metadata
         with:
           script: |
@@ -351,4 +370,4 @@ jobs:
             $ undock --wrap --rm-dist --all ${{ env.REPO_SLUG }}:${{ steps.meta.outputs.version }} ./${{ inputs.name }}/${{ env.VERSION }}
             ```
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.ghtoken || github.token }}

.github/workflows/.pkgs.yml

@@ -1,6 +1,9 @@
 # reusable workflow
 name: .pkgs
 
+permissions:
+  contents: read
+
 on:
   workflow_call:
     outputs:
@@ -16,11 +19,11 @@ jobs:
     steps:
       -
         name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       -
         name: Set pkgs output
         id: set
-        uses: actions/github-script@v8
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           script: |
             const fs = require('fs');

.github/workflows/build-agent.yml

@@ -1,5 +1,8 @@
 name: build-agent
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -31,4 +34,3 @@ jobs:
     uses: ./.github/workflows/.build.yml
     with:
       name: agent
-    secrets: inherit

.github/workflows/build-buildx.yml

@@ -1,5 +1,8 @@
 name: build-buildx
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -31,4 +34,3 @@ jobs:
     uses: ./.github/workflows/.build.yml
     with:
       name: buildx
-    secrets: inherit

.github/workflows/build-compose.yml

@@ -1,5 +1,8 @@
 name: build-compose
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -31,4 +34,3 @@ jobs:
     uses: ./.github/workflows/.build.yml
     with:
       name: compose
-    secrets: inherit

.github/workflows/build-containerd.yml

@@ -1,5 +1,8 @@
 name: build-containerd
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -31,4 +34,3 @@ jobs:
     uses: ./.github/workflows/.build.yml
     with:
       name: containerd
-    secrets: inherit

.github/workflows/build-credential-helpers.yml

@@ -1,5 +1,8 @@
 name: build-credential-helpers
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -31,4 +34,3 @@ jobs:
     uses: ./.github/workflows/.build.yml
     with:
       name: credential-helpers
-    secrets: inherit

.github/workflows/build-docker-cli.yml

@@ -1,5 +1,8 @@
 name: build-docker-cli
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -31,4 +34,3 @@ jobs:
     uses: ./.github/workflows/.build.yml
     with:
       name: docker-cli
-    secrets: inherit

.github/workflows/build-docker-engine.yml

@@ -1,5 +1,8 @@
 name: build-docker-engine
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
@@ -31,4 +34,3 @@ jobs:
     uses: ./.github/workflows/.build.yml
     with:
       name: docker-engine
-    secrets: inherit