Skip to content

CI: Zizmor fixes others #539

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 45 commits into
base: main
Choose a base branch
from
Open

CI: Zizmor fixes others #539

wants to merge 45 commits into from
+354 −232

Conversation

@echoix
Copy link
Owner

@echoix echoix commented Aug 31, 2025

No description provided.

@echoix echoix force-pushed the zizmor-fixes-others branch from 5465052 to 4cd8a05 Compare August 31, 2025 19:33
echoix added 14 commits August 31, 2025 21:06
@echoix
checks: Enable GitHub Actions validation in super-linter
b6b8b23
@echoix
checks: Enable GitHub Actions zizmor validation in super-linter
164062b
@echoix
CI: Limit additional_checks.yml permissions to contents: read
6b2abd6
@echoix
CI: Avoid potential template injection issue in create-upload-suggest…
13d3a9a 
…ions

Solves zizmor's template-injection audit: https://docs.zizmor.sh/audits/#template-injection
@echoix
CI: Address actionlint/shellcheck issues in macos.yml workflow
009af6c
@echoix
CI: Address actionlint/shellcheck issues in macos.yml workflow
2e6bcbe
@echoix
CI: Address actionlint/shellcheck issues in additional_checks.yml wor…
9763516 
…kflow
@echoix
CI: Address actionlint/shellcheck and zizmor issues in cmake.yml work…
1ea3218 
…flow

- Use env vars directly instead of template substitution
- This includes renaming env var CMakeVersion to CMAKE_VERSION
- Double quote variables, and add braces
@echoix
CI(cmake): Remove unused CMAKE_OPTIONS env var, that shouldn't be dou…
e81c91a 
…ble quoted if ever used
@echoix
CI: Address actionlint/shellcheck and zizmor issues in coverity.yml w…
cee59d4 
…orkflow

- Use env vars directly instead of template substitution
- Double quote variables, and add braces
- Declare and assign exported env vars separately to avoid masking return values. (SC2155)
@echoix
CI(docker): Address actionlint/shellcheck and zizmor issues in docker…
404fc61 
….yml workflow
@echoix
CI: Address actionlint/shellcheck and zizmor issues in create_release…
444d51b 
…_draft.yml workflow
@echoix
DEBUG: Test create tarball with changes done below
4ac5fc0
@echoix
DEBUG: Test create tarball with GRASS env var overriden like when tag…
af58dd0 
… is used
@echoix echoix force-pushed the zizmor-fixes-others branch from 2e499a1 to af58dd0 Compare August 31, 2025 21:12
echoix added 10 commits August 31, 2025 21:25
@echoix
CI: Address actionlint/shellcheck and zizmor issues in ubuntu.yml wor…
5a3c22a 
…kflow
@echoix
Revert: Test create tarball with changes done below
3532cd3
@echoix
CI: Address actionlint/shellcheck and zizmor issues in milestones.yml…
1dcfffa 
… workflow
@echoix
CI: Ignore zizmor dangerous-triggers for milestones.yml workflow
78b1e1f 
To the best of my knowledge and after another review, this workflow is most appropriate to be used with pull_request_target limited to closed and merged PRs.
@echoix
CI: Address actionlint/shellcheck and zizmor issues in verify-success…
aa938b3 
….yml workflow
@echoix
CI: Address actionlint/shellcheck and zizmor issues in macos_distribu…
a47a2e4 
…te_app.yml workflow
@echoix
CI: Fix shellcheck SC2129 in macos_distribute_app.yml workflow
655e1f0
@echoix
CI: Address actionlint/shellcheck and zizmor issues in macos_distribu…
e3e5da6 
…te_app.yml workflow
@echoix
CI(docs): Fix ccache key using invalid python-version from matrix, us…
d210555 
…e env var instead
@echoix
CI: Address actionlint/shellcheck and zizmor issues in documentation.…
ab8abad 
…yml workflow

Two ShellCheck issues should be fixed later on regarding the use of ls in a for loop.
echoix added 21 commits August 31, 2025 23:12
@echoix
CI: Do not use cache with workflow_dispatch in documentation.yml work…
7e9cc9b 
…flow

Fixes a cache-poisoning issue reported by zizmor

Two separate steps are used. It is assuming that the push event is not used for tags and that these artifacts (using cache) are not published as release artifacts
@echoix
CI: Address actionlint/shellcheck and zizmor issues in gcc.yml workflow
9d6a6b0
@echoix
CI: Address actionlint/shellcheck and zizmor issues in periodic_updat…
933cd2b 
…e.yml workflow
@echoix
CI: Disable caching in additional_checks if potentially affected on r…
08ea041 
…eleases
@echoix
CI: Save and restore cached sample dataset to avoid some cases of pot…
9822e1b 
…ential cache-poisoning
@echoix
CI(ubuntu): Use matrix.config through an env var to avoid potential t…
c9c2d2f 
…emplate injection
@echoix
CI: Address actionlint/shellcheck and zizmor issues in python-code-qu…
099ee24 
…ality.yml workflow
@echoix
CI: Address zizmor issues in titles.yml workflow
7edb674
@echoix
CI: Re-allow downloading cached sample dataset
a162dd8
@echoix
CI: Address zizmor issues in label.yml workflow
811db2d
@echoix
CI: Address zizmor issue in post-pr-reviews.yml workflow
08bff47
@echoix
CI: Address actionlint/shellcheck issues in pytest.yml workflow
31e3d73
@echoix
CI: Address zizmor issue in pytest.yml workflow
015d815 
Cache poisoning is less problematic here as pytest workflow not really used for release artifacts
@echoix
CI: Address actionlint/shellcheck issues in codeql-analysis.yml workflow
ae7e1a8
@echoix
CI: Address actionlint/shellcheck issues in python-code-quality.yml w…
d8d67b6 
…orkflow
@echoix
CI: Address zizmor issue in python-code-quality.yml workflow
6d96ae8 
Cache poisoning is less problematic here as python-code-quality workflow not really used for release artifacts
@echoix
CI: Address actionlint/shellcheck and zizmor issues in osgeo4w.yml wo…
9d27e3a 
…rkflow
@echoix
checks: Add actionlint and zizmor to pre-commit hooks
80c57b7
@echoix
Merge branch 'main' into zizmor-fixes-others
e7af529
@echoix
Merge branch 'main' into zizmor-fixes-others
4f21cf4
@echoix
Merge branch 'main' into zizmor-fixes-others
f3146b9
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CI macOS nix Windows

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@echoix