Skip to content

Commit 9cfe9f6

Browse files
authored
chore(actions): address zizmor findings (#16218)
1 parent 559b727 commit 9cfe9f6

7 files changed

Lines changed: 43 additions & 24 deletions

File tree

.github/workflows/codeql-analysis.yml

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,6 @@
1+
permissions:
2+
contents: read
3+
14
name: "CodeQL"
25

36
on:
@@ -22,19 +25,22 @@ jobs:
2225

2326
steps:
2427
- name: Checkout repository
25-
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
28+
uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
29+
with:
30+
persist-credentials: false
2631
- name: Checkout vcpkg
2732
uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
2833
with:
2934
path: "build/vcpkg"
3035
repository: "microsoft/vcpkg"
3136
fetch-depth: 0
37+
persist-credentials: false
3238
- name: Checkout pinned vcpkg version
3339
run: >
3440
git -C build/vcpkg checkout -q $(<ci/etc/vcpkg-version.txt)
3541
- name: cache-vcpkg
3642
id: cache-vcpkg
37-
uses: actions/cache@v6
43+
uses: actions/cache@55cc8345863c7cc4c66a329aec7e433d2d1c52a9 # v6
3844
with:
3945
path: |
4046
~/.cache/vcpkg
@@ -66,7 +72,7 @@ jobs:
6672
--clean-after-build
6773
6874
- name: Initialize CodeQL
69-
uses: github/codeql-action/init@v3
75+
uses: github/codeql-action/init@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3
7076
with:
7177
languages: ${{ matrix.language }}
7278

@@ -86,4 +92,4 @@ jobs:
8692
cmake --build build/output
8793
8894
- name: Perform CodeQL Analysis
89-
uses: github/codeql-action/analyze@v3
95+
uses: github/codeql-action/analyze@dd903d2e4f5405488e5ef1422510ee31c8b32357 # v3

.github/workflows/external-account-integration.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -35,11 +35,12 @@ jobs:
3535
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
3636
with:
3737
ref: ${{ inputs.checkout-ref || github.sha }}
38+
persist-credentials: false
3839
# Use BYOID identity and run the integration test
3940
- id: byoid-auth
4041
if: '!github.event.pull_request.head.repo.fork'
4142
name: 'Authenticate to GCP'
42-
uses: 'google-github-actions/auth@v3'
43+
uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3
4344
with:
4445
create_credentials_file: true
4546
workload_identity_provider: 'projects/49427430084/locations/global/workloadIdentityPools/github-wif-pool/providers/github-wif-provider'

.github/workflows/macos-bazel.yml

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,19 +37,22 @@ jobs:
3737
targets:
3838
- //google/cloud/storage/...
3939
steps:
40-
- uses: actions/checkout@v7
40+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
4141
with:
4242
ref: ${{ inputs.checkout-ref }}
43-
- uses: google-github-actions/auth@v2
43+
persist-credentials: false
44+
- uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
4445
if: ${{ inputs.bazel-cache-mode == 'READ_WRITE' }}
4546
with:
4647
create_credentials_file: true
4748
credentials_json: ${{ secrets.BUILD_CACHE_KEY }}
4849
- name: Install bash >= 5.x
4950
run: brew install bash
5051
- name: Pre Tests Disk Space
52+
# zizmor: ignore[template-injection]
5153
run: df -m
5254
- name: Build google-cloud-cpp
55+
# zizmor: ignore[template-injection]
5356
run: |
5457
export BAZEL_REMOTE_CACHE_RW_MODE=${{ inputs.bazel-cache-mode }}
5558
export EXECUTE_INTEGRATION_TESTS=${{ inputs.execute-integration-tests }}

.github/workflows/macos-cmake.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -62,16 +62,17 @@ jobs:
6262
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
6363
with:
6464
ref: ${{ inputs.checkout-ref }}
65-
- uses: google-github-actions/auth@v2
65+
persist-credentials: false
66+
- uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
6667
if: ${{ inputs.sccache-mode == 'READ_WRITE' && inputs.vcpkg-cache-mode == 'readwrite' }}
6768
with:
6869
create_credentials_file: true
6970
credentials_json: ${{ secrets.BUILD_CACHE_KEY }}
70-
- uses: actions/setup-python@v6
71+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
7172
id: py311
7273
with:
7374
python-version: '3.14'
74-
- uses: google-github-actions/setup-gcloud@v2
75+
- uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2
7576
env:
7677
CLOUDSDK_PYTHON: ${{ steps.py311.outputs.python-path }}
7778
- name: Dynamic Configuration

.github/workflows/test-runner.yml

Lines changed: 15 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,11 @@
1+
permissions:
2+
contents: read
3+
14
name: "gha: macOS & Windows"
25

36
# Build on pull requests and pushes to `main`. The PR builds will be
47
# non-blocking for now, but that is configured elsewhere.
5-
on:
8+
on: # zizmor: ignore[dangerous-triggers]
69
# Start these builds on pushes (think "after the merge") too. Normally there
710
# are no `ci-gha**` branches in our repository. The contributors to the repo
811
# can create such branches when testing or troubleshooting builds. In such
@@ -52,8 +55,11 @@ jobs:
5255
outputs:
5356
checkout-sha: ${{ steps.save-pull-request.outputs.sha }}
5457
steps:
58+
# zizmor: ignore[template-injection]
5559
- name: Save Pull Request
5660
id: save-pull-request
61+
# zizmor: ignore[template-injection]
62+
# zizmor: ignore[template-injection]
5763
run: >
5864
echo "sha=${{ github.event.pull_request.head.sha || github.ref }}" >> $GITHUB_OUTPUT
5965
@@ -65,29 +71,29 @@ jobs:
6571
macos-bazel:
6672
name: macOS-Bazel
6773
needs: [pre-flight]
68-
uses: ./.github/workflows/macos-bazel.yml
74+
uses: ./.github/workflows/macos-bazel.yml # zizmor: ignore[secrets-inherit]
6975
with:
7076
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
7177
bazel-cache-mode: 'READ_WRITE'
7278
execute-integration-tests: true
73-
secrets: inherit
79+
secrets: inherit # zizmor: ignore[secrets-inherit]
7480
windows-bazel:
7581
# Disabled
7682
if: false
7783
name: Windows-Bazel
7884
needs: [pre-flight]
79-
uses: ./.github/workflows/windows-bazel.yml
85+
uses: ./.github/workflows/windows-bazel.yml # zizmor: ignore[secrets-inherit]
8086
with:
8187
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
8288
bazel-cache-mode: 'READ_WRITE'
8389
execute-integration-tests: true
84-
secrets: inherit
90+
secrets: inherit # zizmor: ignore[secrets-inherit]
8591
macos-cmake:
8692
# Disabled
8793
if: false
8894
name: macOS-CMake
8995
needs: [pre-flight]
90-
uses: ./.github/workflows/macos-cmake.yml
96+
uses: ./.github/workflows/macos-cmake.yml # zizmor: ignore[secrets-inherit]
9197
with:
9298
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
9399
# Build the full matrix only on push events to the default branch, or
@@ -102,11 +108,11 @@ jobs:
102108
sccache-mode: 'READ_WRITE'
103109
vcpkg-cache-mode: 'readwrite'
104110
execute-integration-tests: true
105-
secrets: inherit
111+
secrets: inherit # zizmor: ignore[secrets-inherit]
106112
windows-cmake:
107113
name: Windows-CMake
108114
needs: [pre-flight]
109-
uses: ./.github/workflows/windows-cmake.yml
115+
uses: ./.github/workflows/windows-cmake.yml # zizmor: ignore[secrets-inherit]
110116
with:
111117
checkout-ref: ${{ needs.pre-flight.outputs.checkout-sha }}
112118
# Build the full matrix only on push events to the default branch, or
@@ -121,4 +127,4 @@ jobs:
121127
sccache-mode: 'READ_WRITE'
122128
vcpkg-cache-mode: 'readwrite'
123129
execute-integration-tests: true
124-
secrets: inherit
130+
secrets: inherit # zizmor: ignore[secrets-inherit]

.github/workflows/windows-bazel.yml

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -40,10 +40,11 @@ jobs:
4040
targets:
4141
- //google/cloud/storage/...
4242
steps:
43-
- uses: actions/checkout@v7
43+
- uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
4444
with:
4545
ref: ${{ inputs.checkout-ref }}
46-
- uses: google-github-actions/auth@v2
46+
persist-credentials: false
47+
- uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
4748
if: ${{ inputs.bazel-cache-mode == 'READ_WRITE' }}
4849
with:
4950
create_credentials_file: true

.github/workflows/windows-cmake.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -68,16 +68,17 @@ jobs:
6868
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
6969
with:
7070
ref: ${{ inputs.checkout-ref }}
71-
- uses: google-github-actions/auth@v2
71+
persist-credentials: false
72+
- uses: google-github-actions/auth@c200f3691d83b41bf9bbd8638997a462592937ed # v2
7273
if: ${{ inputs.sccache-mode == 'READ_WRITE' && inputs.vcpkg-cache-mode == 'readwrite' }}
7374
with:
7475
create_credentials_file: true
7576
credentials_json: ${{ secrets.BUILD_CACHE_KEY }}
76-
- uses: actions/setup-python@v6
77+
- uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
7778
id: py311
7879
with:
7980
python-version: '3.14'
80-
- uses: google-github-actions/setup-gcloud@v2
81+
- uses: google-github-actions/setup-gcloud@e427ad8a34f8676edf47cf7d7925499adf3eb74f # v2
8182
env:
8283
CLOUDSDK_PYTHON: ${{ steps.py311.outputs.python-path }}
8384
- name: Dynamic Configuration

0 commit comments

Comments
 (0)