commit · ranger · 649899af

Pin action SHAs and fix zizmor findings in Gitea workflows

Assisted-by: GLM-5 via pi

change llymtvorvzqsknnovwqurwpkuxpnmuwx

commit 649899af43b0a2d95ed35e182af362bd98d92ec5

author Alpha Chen <alpha@kejadlen.dev>

date 2mo ago

parent ykrtzoqs

diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml
index c79ab61..82f6a30 100644
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -11,7 +11,7 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
       - run: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index ac35a11..2053429 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -1,6 +1,6 @@
 name: Tag release
 
-on:
+on: # zizmor: ignore[dangerous-triggers] -- scoped to main branch only, checks CI conclusion
   workflow_run:
     workflows: [CI]
     types: [completed]
@@ -15,9 +15,10 @@ jobs:
     if: github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Calculate version
         id: version
@@ -28,8 +29,9 @@ jobs:
           echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
 
       - name: Push tag
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
           TAG="v${VERSION}"
 
           # Skip if this tag already exists
diff --git a/.gitea/workflows/zizmor.yml b/.gitea/workflows/zizmor.yml
index 7c22068..c8a25f0 100644
--- a/.gitea/workflows/zizmor.yml
+++ b/.gitea/workflows/zizmor.yml
@@ -11,10 +11,10 @@ jobs:
   zizmor:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
         with:
           persist-credentials: false
-      - uses: zizmorcore/zizmor-action@v0
+      - uses: zizmorcore/zizmor-action@f52a838cf72f9a4d006ac950b7e1cc379a3e3b64 # v0.1.1
         with:
           inputs: .gitea/workflows/* .github
           advanced-security: false