From 119c4703e52202d8d05d482ea680390de1668081 Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Sun, 22 Sep 2024 18:06:45 -0400
Subject: [PATCH] Fix zizmor warnings in github actions

---
 .github/workflows/build-docker-images.yml   | 13 +++++++------
 .github/workflows/build-macos-openssl.yml   |  2 ++
 .github/workflows/build-static-node.yml     | 10 ++++++----
 .github/workflows/build-windows-openssl.yml |  2 ++
 .github/workflows/terraform.yml             |  2 ++
 5 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/build-docker-images.yml b/.github/workflows/build-docker-images.yml
index a5b6d8b7..eafb532d 100644
--- a/.github/workflows/build-docker-images.yml
+++ b/.github/workflows/build-docker-images.yml
@@ -18,14 +18,13 @@ on:
       - 'runners/**'
       - 'cryptography-linux/**'
 
-permissions:
-  contents: read
-  packages: write
-
 jobs:
-  # Build containers for x86
   build:
     runs-on: ${{ matrix.IMAGE.RUNNER }}
+    permissions:
+      contents: read
+      packages: write
+
     strategy:
       fail-fast: false
       matrix:
@@ -63,6 +62,8 @@ jobs:
     name: "${{ matrix.IMAGE.TAG_NAME }}"
     steps:
       - uses: actions/checkout@v4.1.7
+        with:
+          persist-credentials: false
       - run: |
           source ./staticnode/node-version.sh
           arch=$(echo "${{ runner.arch }}" | tr '[:upper:]' '[:lower:]')
@@ -74,7 +75,7 @@ jobs:
         run: docker pull ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} || true
         if: github.event_name != 'schedule' && github.event_name != 'workflow_dispatch'
       - name: Build image
-        run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }} --build-arg NODE_ARCH_RELEASE=${{ env.NODE_ARCH_RELEASE }}
+        run: docker build --pull --cache-from ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} -t ghcr.io/pyca/${{ matrix.IMAGE.TAG_NAME }} ${{ matrix.IMAGE.DOCKERFILE_PATH }} ${{ matrix.IMAGE.BUILD_ARGS }} --build-arg "NODE_ARCH_RELEASE=${NODE_ARCH_RELEASE}"
       - name: Login to docker
         run: 'docker login -u "$DOCKER_USERNAME" -p "$DOCKER_PASSWORD" ghcr.io'
         env:
diff --git a/.github/workflows/build-macos-openssl.yml b/.github/workflows/build-macos-openssl.yml
index 3bbeb657..0960f376 100644
--- a/.github/workflows/build-macos-openssl.yml
+++ b/.github/workflows/build-macos-openssl.yml
@@ -33,6 +33,8 @@ jobs:
     name: "Build OpenSSL for macOS (${{ matrix.ARCH.NAME }})"
     steps:
       - uses: actions/checkout@v4.1.7
+        with:
+          persist-credentials: false
       - name: Download OpenSSL
         run: |
           source ./cryptography-linux/openssl-version.sh
diff --git a/.github/workflows/build-static-node.yml b/.github/workflows/build-static-node.yml
index 55135484..18a73213 100644
--- a/.github/workflows/build-static-node.yml
+++ b/.github/workflows/build-static-node.yml
@@ -1,7 +1,4 @@
 name: Build Static Node.js Container
-permissions:
-  contents: read
-  packages: write
 
 on:
   pull_request:
@@ -19,6 +16,9 @@ jobs:
   build:
     name: Build node.js
     runs-on: ${{ matrix.IMAGE.RUNNER }}
+    permissions:
+      contents: read
+      packages: write
     strategy:
       fail-fast: false
       matrix:
@@ -27,6 +27,8 @@ jobs:
           - {RUNNER: [self-hosted, Linux, ARM64], MANYLINUX_ARCH: "aarch64"}
     steps:
     - uses: actions/checkout@v4.1.7
+      with:
+        persist-credentials: false
     - name: Set Node.js version
       run: |
         source ./staticnode/node-version.sh
@@ -50,5 +52,5 @@ jobs:
         DOCKER_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
       if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
     - name: Push image
-      run: docker push ghcr.io/pyca/static-nodejs-${{ env.NODE_ARCH }}:${{ env.NODE_VERSION }}
+      run: docker push "ghcr.io/pyca/static-nodejs-${NODE_ARCH}:${NODE_VERSION}"
       if: (github.event_name == 'push' || github.event_name == 'schedule' || github.event_name == 'workflow_dispatch') && github.ref == 'refs/heads/main'
diff --git a/.github/workflows/build-windows-openssl.yml b/.github/workflows/build-windows-openssl.yml
index e2102b96..64cad245 100644
--- a/.github/workflows/build-windows-openssl.yml
+++ b/.github/workflows/build-windows-openssl.yml
@@ -27,6 +27,8 @@ jobs:
     name: "Build OpenSSL for ${{ matrix.ARCH }} on MSVC 2022"
     steps:
       - uses: actions/checkout@v4.1.7
+        with:
+          persist-credentials: false
       - run: choco install -y nasm winrar
       - name: Export OpenSSL version
         run: |
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
index 9e25a60f..e909acd8 100644
--- a/.github/workflows/terraform.yml
+++ b/.github/workflows/terraform.yml
@@ -17,6 +17,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4.1.7
+        with:
+          persist-credentials: false
       - run: terraform -chdir=terraform/ fmt -check
       - run: terraform -chdir=terraform/ init -backend=false
       # Need to have a values.yaml for validate to pass.