ci(zizmor): security fixes

thomasleplus · thomasleplus · commit 5f5e7ebd6021 · 2025-08-28T21:30:02.000+02:00
diff --git a/.github/workflows/automerge.yml b/.github/workflows/automerge.yml
@@ -10,7 +10,7 @@ permissions:
 jobs:
   dependabot:
     runs-on: ubuntu-latest
-    if: ${{ github.actor == 'dependabot[bot]' }}
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' }}
     steps:
       - name: Enable auto-merge for Dependabot PRs
         shell: bash
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -47,6 +47,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       # Add any setup steps before running the `github/codeql-action/init` action.
       # This includes steps like installing compilers or runtimes (`actions/setup-node`
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -11,5 +11,7 @@ jobs:
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: "Dependency Review"
         uses: actions/dependency-review-action@bc41886e18ea39df68b1b1245f4184881938e050 # v4.7.2
diff --git a/.github/workflows/devskim.yml b/.github/workflows/devskim.yml
@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Run DevSkim scanner
         uses: microsoft/DevSkim-Action@4b5047945a44163b94642a1cecc0d93a3f428cc6 # v1.0.16
diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml
@@ -24,6 +24,8 @@ jobs:
           IFS=$'\n\t'	
           echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Set SOURCE_DATE_EPOCH
         run: |
           set -euo pipefail
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
@@ -21,6 +21,8 @@ jobs:
           IFS=$'\n\t'	
           echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Set SOURCE_DATE_EPOCH
         run: |
           set -euo pipefail
diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
@@ -25,6 +25,8 @@ jobs:
           IFS=$'\n\t'	
           echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Pull the ${{ matrix.tag }} ${{ matrix.platform }} image
         shell: bash
         run: |
diff --git a/.github/workflows/maven-check-versions.yml b/.github/workflows/maven-check-versions.yml
@@ -25,6 +25,8 @@ jobs:
           IFS=$'\n\t'	
           echo "MAVEN_CLI_OPTS=-f ${IMAGE}/pom.xml" >> "${GITHUB_ENV}"
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Check the versions
         uses: docker://leplusorg/maven-check-versions:3.9.11@sha256:cabe45dc45c644032ba61b2f43e304baf382e834efe76d74a81c666b893c5dc2
         env:
diff --git a/.github/workflows/maven-dependency-check.yml b/.github/workflows/maven-dependency-check.yml
@@ -28,6 +28,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
         with:
diff --git a/.github/workflows/msdo.yml b/.github/workflows/msdo.yml
@@ -25,6 +25,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Run Microsoft Security DevOps scanner
         uses: microsoft/security-devops-action@08976cb623803b1b36d7112d4ff9f59eae704de0 # v1.12.0
diff --git a/.github/workflows/super-linter.yml b/.github/workflows/super-linter.yml
@@ -54,6 +54,7 @@ jobs:
           # Full git history is needed to get a proper list of changed
           # files within `super-linter`
           fetch-depth: 0
+          persist-credentials: false
 
       ################################
       # Run Linter against code base #
