Is your feature request related to a problem? Please describe.
A new zizmor rule triggers on using secrets used outside an environment.
It is generally a good thing. In most cases, it would make sense to have environments where the secret is defined only in it, and can have other restrictions for when it can be used. Some other cases, like for codecov upload token, that is used in different workflows, it might be better to wait a bit.
Changing the workflows is only part of the job. The other part is to actually define the environments, their rules and restrictions, add the tokens there, and remove the repo-wide tokens.
See the CI logs for the places where zizmor identifies such problems.
#7253
Note that due to how it works, that linter cannot know if the secret is actually defined in an environment. It will probably never know too.
Is your feature request related to a problem? Please describe.
A new zizmor rule triggers on using secrets used outside an environment.
It is generally a good thing. In most cases, it would make sense to have environments where the secret is defined only in it, and can have other restrictions for when it can be used. Some other cases, like for codecov upload token, that is used in different workflows, it might be better to wait a bit.
Changing the workflows is only part of the job. The other part is to actually define the environments, their rules and restrictions, add the tokens there, and remove the repo-wide tokens.
See the CI logs for the places where zizmor identifies such problems.
#7253
Note that due to how it works, that linter cannot know if the secret is actually defined in an environment. It will probably never know too.