repair github actions warnings and errors

.github/workflows/ci-actions.yaml

@@ -14,8 +14,11 @@ jobs:
     name: zizmor
     runs-on: ubuntu-latest
     permissions:
+      # write is needed to upload security events to GitHub code scanning.
       security-events: write
+      # we only need to read the contents of the repository.
       contents: read
+      # we only need to read the action metadata.
       actions: read
     steps:
     - name: harden runner
@@ -34,10 +37,10 @@ jobs:
     - name: zizmor
       run: uvx zizmor --pedantic --format sarif . > results.sarif
       env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
 
     - name: upload
-      uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
+      uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4
       with:
         sarif_file: results.sarif
         category: zizmor

.github/workflows/ci-code.yaml

@@ -9,6 +9,7 @@ on:
     - main
 
 permissions:
+  # we only need to read the contents of the repository.
   contents: read
 
 jobs:

.github/workflows/release-assets.yaml

@@ -12,6 +12,7 @@ jobs:
   assets:
     name: assets
     permissions:
+      # write is needed to upload release artifacts.
       contents: write
     runs-on: ubuntu-latest
     steps:
@@ -34,7 +35,8 @@ jobs:
       run: ./hack/assemble.sh
 
     - name: 'upload release artifacts'
-      run: ./hack/ci/upload-release-assets.sh "${{ github.event.release.tag_name }}"
+      run: ./hack/ci/upload-release-assets.sh
       env:
         GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        RELEASE_TAG: "${{ github.event.release.tag_name }}"
       if: ${{ github.event_name == 'release' }}