address pedantic zizmor feedback (#136)

found-it · web-flow · commit 54d0ab0325b1 · 2025-10-21T11:00:41.000-06:00
* address pedantic zizmor feedback

Signed-off-by: James Petersen &lt;jpetersenames@gmail.com&gt;

* upgrade setup-python

Signed-off-by: James Petersen &lt;jpetersenames@gmail.com&gt;

---------

Signed-off-by: James Petersen &lt;jpetersenames@gmail.com&gt;
diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
@@ -5,6 +5,8 @@ updates:
   directory: "/"
   schedule:
     interval: "daily"
+  cooldown:
+    default-days: 7
   groups:
     actions-updates:
       dependency-type: "production"
@@ -17,6 +19,8 @@ updates:
   directory: "/"
   schedule:
     interval: "daily"
+  cooldown:
+    default-days: 7
   groups:
     cargo-updates:
       dependency-type: "production"
diff --git a/.github/workflows/ci-actions.yaml b/.github/workflows/ci-actions.yaml
@@ -7,37 +7,37 @@ on:
     branches: ["**"]
 
 permissions:
-  contents: read
+  contents: read # Default token to read
 
 jobs:
   zizmor:
     name: zizmor latest via PyPI
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
-      contents: read
-      actions: read
+      security-events: write # Needed to write security events to github
+      contents: read         # Needed to read clone repo
+      actions: read          # Needed to read actions
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
       - name: Install the latest version of uv
-        uses: astral-sh/setup-uv@b75a909f75acd358c2196fb9a5f1299a9a8868a4 # v4
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
 
       - name: Run zizmor
         run: uvx zizmor --pedantic --format sarif . > results.sarif 
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3
+        uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
         with:
           sarif_file: results.sarif
           category: zizmor
diff --git a/.github/workflows/ci-chart.yaml b/.github/workflows/ci-chart.yaml
@@ -9,19 +9,20 @@ on:
       - .github/workflows/ci-chart.yaml
 
 permissions:
-  contents: read
+  contents: read # Default token to read
 
 jobs:
   lint-test:
+    name: Lint and Test Charts
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
-      - name: Checkout
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
           persist-credentials: false
@@ -31,7 +32,8 @@ jobs:
         with:
           version: v3.14.4
 
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5
+      - name: Set up python
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: '3.x'
           check-latest: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -8,7 +8,7 @@ on:
     - published
 
 permissions:
-  contents: read
+  contents: read # Default token to read
 
 jobs:
   build-push-image:
@@ -20,8 +20,8 @@ jobs:
         component:
         - webhook
     permissions:
-      contents: read
-      packages: write
+      contents: read  # Needed to check out code
+      packages: write # Needed to write image to ghcr
       id-token: write # Needed for cosign to use github OIDC token
     steps:
       - name: 'Harden runner'
@@ -101,8 +101,8 @@ jobs:
     name: Publish Helm chart for protect-webhook
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      packages: write
+      contents: read  # Needed to check out code
+      packages: write # Needed to write helm chart to ghcr
     steps:
       - name: 'Harden runner'
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -133,10 +133,11 @@ jobs:
 
       - name: Publish new helm chart for protect-webhook
         run: |
-          echo ${{ secrets.GITHUB_TOKEN }} | helm registry login ghcr.io --username ${GITHUB_ACTOR} --password-stdin
+          echo "${GH_TOKEN}" | helm registry login ghcr.io --username ${GITHUB_ACTOR} --password-stdin
           helm package charts/protect-webhook/ --version="${PROTECT_WEBHOOK_CHART_VERSION_TAG}"
           helm push protect-webhook-"${PROTECT_WEBHOOK_CHART_VERSION_TAG}".tgz oci://ghcr.io/${GITHUB_REPOSITORY_OWNER}/charts
         env:
+          GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
           GITHUB_ACTOR: '${{ github.actor }}'
           GITHUB_REPOSITORY_OWNER: '${{ steps.resolve_parameters.outputs.repository_owner }}'
           PROTECT_WEBHOOK_CHART_VERSION_TAG: '${{ steps.resolve_parameters.outputs.protect_webhook_chart_version_tag }}'
