Clean up workflow files from Zizmor output

.github/workflows/_build-any.yml

@@ -54,6 +54,8 @@ jobs:
 
       - name: Check out repo
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          persist-credentials: false
 
       - name: Optimize macOS Runner
         uses: ./.github/actions/macos-runner-tuneup
@@ -84,7 +86,7 @@ jobs:
         run: |
           brew update
           brew bundle
-          bundle exec fastlane load_dotenv_file --env $_BW_ENV
+          bundle exec fastlane load_dotenv_file --env "$_BW_ENV"
 
 
       - name: Log in to Azure
@@ -111,10 +113,10 @@ jobs:
             local az_filename=$2
             local local_filename=$3
 
-            az storage blob download --account-name bitwardenci --container-name $container_name --name $az_filename --file $local_filename --output none --only-show-errors --no-progress
+            az storage blob download --account-name bitwardenci --container-name "$container_name" --name "$az_filename" --file "$local_filename" --output none --only-show-errors --no-progress
           }
 
-          mkdir -p $HOME/secrets
+          mkdir -p "$HOME/secrets"
 
           profiles_dir_path="$HOME/Library/MobileDevice/Provisioning Profiles"
           mkdir -p "$profiles_dir_path"
@@ -123,30 +125,30 @@ jobs:
           for FILE in "${profiles[@]}"
           do
             echo "⌛️ Downloading provisioning profile $FILE..."
-            local_profile_path=$HOME/secrets/$FILE
+            local_profile_path="$HOME/secrets/$FILE"
 
-            az_download profiles $FILE $local_profile_path
+            az_download profiles "$FILE" "$local_profile_path"
 
-            profile_uuid=$(grep UUID -A1 -a $local_profile_path | grep -io "[-A-F0-9]\{36\}")
-            cp $local_profile_path "$profiles_dir_path/$profile_uuid.mobileprovision"
+            profile_uuid=$(grep UUID -A1 -a "$local_profile_path" | grep -io "[-A-F0-9]\{36\}")
+            cp "$local_profile_path" "$profiles_dir_path/$profile_uuid.mobileprovision"
           done
 
           echo "⌛️ Downloading Google-Services.plist..."
-          az_download mobile $_AZ_CRASHLYTICS_FILE_NAME $_CRASHLYTICS_PATH
+          az_download mobile "$_AZ_CRASHLYTICS_FILE_NAME" "$_CRASHLYTICS_PATH"
 
           if [[ "$_APP" == "password_manager" ]]; then
             echo "⌛️ Downloading Google-Services.plist for watchOS..."
-            az_download mobile $_AZ_CRASHLYTICS_FILE_NAME "BitwardenWatchApp/GoogleService-Info.plist"
+            az_download mobile "$_AZ_CRASHLYTICS_FILE_NAME" "BitwardenWatchApp/GoogleService-Info.plist"
             plutil -replace BUNDLE_ID -string '$BUNDLE_ID.watchkitapp' BitwardenWatchApp/GoogleService-Info.plist
           fi
 
           echo "⌛️ Downloading fastlane credentials..."
-          az_download mobile appstoreconnect-fastlane.json $HOME/secrets/appstoreconnect-fastlane.json
+          az_download mobile appstoreconnect-fastlane.json "$HOME/secrets/appstoreconnect-fastlane.json"
 
           echo "⌛️ Downloading distribution certificate..."
-          mkdir -p $HOME/certificates
+          mkdir -p "$HOME/certificates"
           az keyvault secret show --id https://bitwarden-ci.vault.azure.net/certificates/ios-distribution |
-            jq -r .value | base64 -d > $HOME/certificates/ios-distribution.p12
+            jq -r .value | base64 -d > "$HOME/certificates/ios-distribution.p12"
 
           echo "✅ All secrets downloaded!"
 
@@ -159,31 +161,31 @@ jobs:
         env:
           KEYCHAIN_PASSWORD: ${{ steps.get-kv-secrets.outputs.IOS-KEYCHAIN-PASSWORD }}
         run: |
-          security create-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security create-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
           security default-keychain -s build.keychain
-          security unlock-keychain -p $KEYCHAIN_PASSWORD build.keychain
+          security unlock-keychain -p "$KEYCHAIN_PASSWORD" build.keychain
           security set-keychain-settings -lut 1200 build.keychain
 
-          security import $HOME/certificates/ios-distribution.p12 -k build.keychain -P "" -T /usr/bin/codesign \
+          security import "$HOME/certificates/ios-distribution.p12" -k build.keychain -P "" -T /usr/bin/codesign \
             -T /usr/bin/security
-          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k $KEYCHAIN_PASSWORD build.keychain
+          security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_PASSWORD" build.keychain
 
       - name: Setup code files
         run: |
           bundle exec fastlane setup_code_files \
-            --env $_BW_ENV \
-            build_mode:$_BUILD_MODE \
-            version_name:$_VERSION_NAME \
-            version_number:$_VERSION_NUMBER \
+            --env "$_BW_ENV" \
+            build_mode:"$_BUILD_MODE" \
+            version_name:"$_VERSION_NAME" \
+            version_number:"$_VERSION_NUMBER" \
             compiler_flags:"$_COMPILER_FLAGS"
 
           bundle exec fastlane update_ci_build_info \
-            --env $_BW_ENV \
-            repository:$GITHUB_REPOSITORY \
-            branch:$GITHUB_REF_NAME \
-            commit_hash:$GITHUB_SHA \
-            ci_run_number:$GITHUB_RUN_ID \
-            ci_run_attempt:$GITHUB_RUN_ATTEMPT \
+            --env "$_BW_ENV" \
+            repository:"$GITHUB_REPOSITORY" \
+            branch:"$GITHUB_REF_NAME" \
+            commit_hash:"$GITHUB_SHA" \
+            ci_run_number:"$GITHUB_RUN_ID" \
+            ci_run_attempt:"$GITHUB_RUN_ATTEMPT" \
             compiler_flags:"$_COMPILER_FLAGS"
 
       - name: Cache Mint packages
@@ -202,28 +204,28 @@ jobs:
 
       - name: Build ${{ inputs.bw-env }}
         run: |
-          ./Scripts/build.sh $_BUILD_PROJECT_PATH $_BUILD_SCHEME $_BUILD_MODE
+          ./Scripts/build.sh "$_BUILD_PROJECT_PATH" "$_BUILD_SCHEME" "$_BUILD_MODE"
 
       - name: Prepare artifacts for upload to GitHub
         run: |
-          mkdir -p $_EXPORT_PATH
-          mkdir -p $_EXPORT_PATH/dSYMs
+          mkdir -p "$_EXPORT_PATH"
+          mkdir -p "$_EXPORT_PATH/dSYMs"
 
           bundle exec fastlane post_build \
-            --env $_BW_ENV \
-            build_mode:$_BUILD_MODE \
-            export_path:$_EXPORT_PATH
+            --env "$_BW_ENV" \
+            build_mode:"$_BUILD_MODE" \
+            export_path:"$_EXPORT_PATH"
 
       - name: Get artifact name
         id: get_file_paths
         run: |
           OUTPUT=$(bundle exec fastlane get_artifact_name \
-            --env $_BW_ENV \
-            build_mode:$_BUILD_MODE \
-            version_name:$_VERSION_NAME \
-            version_number:$_VERSION_NUMBER \
-            xcode_version:$_XCODE_VERSION \
-            export_path:$_EXPORT_PATH)
+            --env "$_BW_ENV" \
+            build_mode:"$_BUILD_MODE" \
+            version_name:"$_VERSION_NAME" \
+            version_number:"$_VERSION_NUMBER" \
+            xcode_version:"$_XCODE_VERSION" \
+            export_path:"$_EXPORT_PATH")
 
           ARTIFACT_NAME=$(echo "$OUTPUT" | grep "artifact_filename: " | cut -d' ' -f3)
           EXPORT_FILEPATH=$(echo "$OUTPUT" | grep "export_filepath: " | cut -d' ' -f3)
@@ -238,8 +240,8 @@ jobs:
             exit 1
           fi
 
-          echo "artifact_filename=$ARTIFACT_NAME" >> $GITHUB_OUTPUT
-          echo "export_filepath=$EXPORT_FILEPATH" >> $GITHUB_OUTPUT
+          echo "artifact_filename=$ARTIFACT_NAME" >> "$GITHUB_OUTPUT"
+          echo "export_filepath=$EXPORT_FILEPATH" >> "$GITHUB_OUTPUT"
 
       - name: Upload artifacts to GitHub
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
@@ -250,30 +252,33 @@ jobs:
 
       - name: Set up private auth key
         if: env._BUILD_MODE == 'Device'
+        env:
+          _APP_STORE_CONNECT_AUTH_KEY: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }}
         run: |
           mkdir ~/private_keys
           cat << EOF > ~/private_keys/AuthKey_J46C83CB96.p8
-          ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-AUTH-KEY }}
+          ${_APP_STORE_CONNECT_AUTH_KEY}
           EOF
 
       - name: Validate app with App Store Connect
         if: env._BUILD_MODE == 'Device' && false # Set to true to debug failing submissions
         env:
           _EXPORT_FILEPATH: ${{ steps.get_file_paths.outputs.export_filepath }}
+          _ISSUER: ${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }}
         run: |
           xcrun altool --validate-app \
             --type ios \
             --file "$_EXPORT_FILEPATH" \
             --apiKey "J46C83CB96" \
-            --apiIssuer "${{ steps.get-kv-secrets.outputs.APP-STORE-CONNECT-TEAM-ISSUER }}"
+            --apiIssuer "${_ISSUER}"
 
       - name: Upload dSYM files to Crashlytics
         if: ${{ env._BUILD_MODE == 'Device' }}
         continue-on-error: true
         run: |
-          find $_EXPORT_PATH/dSYMs -name "*.dSYM" \
+          find "$_EXPORT_PATH/dSYMs" -name "*.dSYM" \
             -exec "./build/DerivedData/SourcePackages/checkouts/firebase-ios-sdk/Crashlytics/upload-symbols" \
-            -gsp $_CRASHLYTICS_PATH \
+            -gsp "$_CRASHLYTICS_PATH" \
             -p ios -- {} +
 
       - name: Upload app to TestFlight with Fastlane
@@ -288,7 +293,7 @@ jobs:
           $_GITHUB_ACTION_RUN_URL"
 
           bundle exec fastlane upload_build \
-            --env $_BW_ENV \
+            --env "$_BW_ENV" \
             api_key_path:"$HOME/secrets/appstoreconnect-fastlane.json" \
             changelog:"$CHANGELOG" \
             ipa_path:"$_EXPORT_FILEPATH"

.github/workflows/_version.yml

@@ -67,25 +67,31 @@ jobs:
           inputs: "${{ toJson(inputs) }}"
 
       - name: Echo distinct ID ${{ github.event.inputs.distinct_id }}
-        run: echo ${{ github.event.inputs.distinct_id }}
+        env:
+          _DISTINCT_ID: ${{ inputs.distinct_id }}
+        run: echo "${_DISTINCT_ID}"
 
       - name: Check out repository
         if: ${{ !inputs.skip_checkout || false }}
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Calculate version name
         id: calc-version-name
+        env:
+          _VERSION_NAME: ${{ inputs.version_name }}
+          _PATCH_VERSION: ${{ inputs.patch_version }}
         run: |
           output() {
             local version_name=$1
-            echo "version_name=$version_name" >> $GITHUB_OUTPUT
+            echo "version_name=$version_name" >> "$GITHUB_OUTPUT"
           }
 
           # override version name if provided
-          if [[ ! -z "${{ inputs.version_name }}" ]]; then
-            version_name=${{ inputs.version_name }}
+          if [[ ! -z "${_VERSION_NAME}" ]]; then
+            version_name=${_VERSION_NAME}
             echo "::warning::Override applied: $version_name"
             output "$version_name"
             exit 0
@@ -96,7 +102,7 @@ jobs:
 
           latest_tag_version=$(git tag --sort=committerdate --list | tail -1)
           if [[ -z "$latest_tag_version" ]]; then
-            version_name="${current_year}.${current_month}.${{ inputs.patch_version || 0 }}"
+            version_name="${current_year}.${current_month}.${_PATCH_VERSION}"
             echo "::warning::No tags found, did you checkout? Calculating version from current date: $version_name"
             output "$version_name"
             exit 0
@@ -105,14 +111,14 @@ jobs:
           # Git tag was found, calculate version from latest tag
           latest_version=${latest_tag_version:1}  # remove 'v' from tag version
 
-          latest_major_version=$(echo $latest_version | cut -d "." -f 1)
-          latest_minor_version=$(echo $latest_version | cut -d "." -f 2)
+          latest_major_version=$(echo "$latest_version" | cut -d "." -f 1)
+          latest_minor_version=$(echo "$latest_version" | cut -d "." -f 2)
           patch_version=0
-          if [[ ! -z "${{ inputs.patch_version }}" ]]; then
-            patch_version=${{ inputs.patch_version }}
+          if [[ ! -z "${_PATCH_VERSION}" ]]; then
+            patch_version=${_PATCH_VERSION}
             echo "::warning::Patch Version Override applied: $patch_version"
           elif [[ "$current_year" == "$latest_major_version" && "$current_month" == "$latest_minor_version" ]]; then
-            latest_patch_version=$(echo $latest_version | cut -d "." -f 3)
+            latest_patch_version=$(echo "$latest_version" | cut -d "." -f 3)
             patch_version=$(($latest_patch_version + 1))
           fi
 
@@ -121,30 +127,35 @@ jobs:
 
       - name: Calculate version number
         id: calc-version-number
+        env:
+          _VERSION_NUMBER: ${{ inputs.version_number }}
         run: |
           # override version number if provided
-          if [[ ! -z "${{ inputs.version_number }}" ]]; then
-            version_number=${{ inputs.version_number }}
+          if [[ ! -z "${_VERSION_NUMBER}" ]]; then
+            version_number=${_VERSION_NUMBER}
             echo "::warning::Override applied: $version_number"
-            echo "version_number=$version_number" >> $GITHUB_OUTPUT
+            echo "version_number=$version_number" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          version_number=$(($GITHUB_RUN_NUMBER + ${{ env.BASE_VERSION_NUMBER }}))
-          echo "version_number=$version_number" >> $GITHUB_OUTPUT
+          version_number=$(($GITHUB_RUN_NUMBER + ${BASE_VERSION_NUMBER}))
+          echo "version_number=$version_number" >> "$GITHUB_OUTPUT"
 
       - name: Create version info JSON
+        env:
+          _VERSION_NUMBER: ${{ steps.calc-version-number.outputs.version_number }}
+          _VERSION_NAME: ${{ steps.calc-version-name.outputs.version_name }}
         run: |
           json='{
-            "version_number": "${{ steps.calc-version-number.outputs.version_number }}",
-            "version_name": "${{ steps.calc-version-name.outputs.version_name }}"
+            "version_number": "${_VERSION_NUMBER}",
+            "version_name": "${_VERSION_NAME}"
           }'
           echo "$json" > version_info.json
 
-          echo "## version-info.json" >> $GITHUB_STEP_SUMMARY
-          echo '```json' >> $GITHUB_STEP_SUMMARY
-          echo "$json" >> $GITHUB_STEP_SUMMARY
-          echo '```' >> $GITHUB_STEP_SUMMARY
+          echo "## version-info.json" >> "$GITHUB_STEP_SUMMARY"
+          echo '```json' >> "$GITHUB_STEP_SUMMARY"
+          echo "$json" >> "$GITHUB_STEP_SUMMARY"
+          echo '```' >> "$GITHUB_STEP_SUMMARY"
 
       - name: Upload version info artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2

.github/workflows/cron-update-public-suffix-list.yml

@@ -20,21 +20,23 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          persist-credentials: true
 
       - name: Download latest PSL list
         run: |
-          curl -s $SOURCE_URL -o $PSL_FILE
+          curl -s "$SOURCE_URL" -o "$PSL_FILE"
 
       - name: Check for changes
         id: check-changes
         run: |
-          if git diff --quiet -- $PSL_FILE; then
+          if git diff --quiet -- "$PSL_FILE"; then
             echo "✅ No changes detected, skipping..."
-            echo "has_changes=false" >> $GITHUB_OUTPUT
+            echo "has_changes=false" >> "$GITHUB_OUTPUT"
             exit 0
           fi
 
-          echo "has_changes=true" >> $GITHUB_OUTPUT
+          echo "has_changes=true" >> "$GITHUB_OUTPUT"
           echo "👀 Changes detected"
 
       - name: Create branch and commit
@@ -45,11 +47,11 @@ jobs:
           BRANCH_NAME="cron-sync-public-suffix-list/$GITHUB_RUN_NUMBER-sync"
           git config user.name "GitHub Actions Bot"
           git config user.email "actions@github.com"
-          git checkout -b $BRANCH_NAME
-          git add $PSL_FILE
+          git checkout -b "$BRANCH_NAME"
+          git add "$PSL_FILE"
           git commit -m "Update public suffix list"
-          git push origin $BRANCH_NAME
-          echo "BRANCH_NAME=$BRANCH_NAME" >> $GITHUB_ENV
+          git push origin "$BRANCH_NAME"
+          echo "BRANCH_NAME=$BRANCH_NAME" >> "$GITHUB_ENV"
           echo "🌱 Branch created: $BRANCH_NAME"
 
       - name: Create Pull Request
@@ -66,6 +68,6 @@ jobs:
             --title "Update public suffix list" \
             --body-file - \
             --base main \
-            --head $BRANCH_NAME \
+            --head "$BRANCH_NAME" \
             --label "automated-pr" \
             --label "t:ci")

.github/workflows/crowdin-pull.yml

@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Checkout repo
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          persist-credentials: false
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main

.github/workflows/crowdin-push.yml

@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Check out repo
         uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4.3.0
+        with:
+          persist-credentials: false
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main