ci: fix additional issues identified by zizmor

gotmax23 · gotmax23 · commit 2048554773ee · 2025-10-27T17:11:28.000-05:00
- Add default permissions to new workflows
- Add cooldown to dependabot
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,3 +9,5 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    cooldown:
+      default-days: 4
diff --git a/.github/workflows/build-devel-docs.yaml b/.github/workflows/build-devel-docs.yaml
@@ -5,6 +5,9 @@ name: Scheduled build for devel docs
     # Run at 05:22 daily
     - cron: '22 5 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   build-package-docs:
     name: 📝 Build
diff --git a/.github/workflows/build-latest-docs.yaml b/.github/workflows/build-latest-docs.yaml
@@ -5,6 +5,9 @@ name: Scheduled build for latest docs
     # Run at 05:41 on Monday
     - cron: '41 5 * * 1'
 
+permissions:
+  contents: read
+
 jobs:
   build-package-docs:
     name: 📝 Build
diff --git a/.github/workflows/labeler.yml b/.github/workflows/labeler.yml
@@ -3,7 +3,9 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 
 "on":
-  pull_request_target:
+  # This workflow does not execute untrusted code from pull requests and all
+  # inputs are properly sanitized,
+  pull_request_target: # zizmor: ignore[dangerous-triggers]
     types:
     - opened  # default
     - synchronize  # default
diff --git a/.github/workflows/release-porting-guide.yml b/.github/workflows/release-porting-guide.yml
@@ -12,6 +12,8 @@ on:
         description: >-
           Exact release version. For example, 12.1.0
         required: true
+permissions:
+  contents: read
 
 jobs:
   upload-porting-guide:
@@ -40,13 +42,15 @@ jobs:
         uses: actions/checkout@v5
         with:
           token: ${{ steps.create_token.outputs.token }}
+          persist-credentials: true  # Needed to push to the repo
 
       - name: Check out ansible-build-data
         uses: actions/checkout@v5
         with:
           repository: ansible-community/ansible-build-data
           ref: ${{ inputs.ansible-build-data-branch }}
           path: ansible-build-data
+          persist-credentials: false
 
       - name: Copy the RST file to the correct path
         run: >-
diff --git a/.github/workflows/reusable-build-docs.yaml b/.github/workflows/reusable-build-docs.yaml
@@ -117,8 +117,10 @@ jobs:
       run: echo "TX_ID=$(date +%s)" >> "${GITHUB_ENV}"
 
     - name: Notify the DaWGs in Matrix
+      # FAIL_MESSAGE is trusted input so okay to inject here.
+      # zizmor: ignore[template-injection]
       run: |
-        curl -X PUT "${{ env.ROOM_URL }}/${TX_ID}" \
+        curl -X PUT "${ROOM_URL}/${TX_ID}" \
              -H "Authorization: Bearer ${{ secrets.DOCS_BOT_TOKEN }}" \
              -H "Content-Type: application/json" \
              -d '{"msgtype": "m.text", "body": "${{ env.FAIL_MESSAGE }}"}'
