repair github actions warnings and errors

2025-12-19 10:10:17 +00:00 · 2025-10-19 01:26:35 -07:00
parent 7a488ad91b
commit a750b0f6d1
5 changed files with 24 additions and 13 deletions
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -4,6 +4,8 @@ updates:
  directory: /
  schedule:
    interval: weekly
+  cooldown:
+    default-days: 7
  groups:
    actions-updates:
      dependency-type: production
@@ -15,6 +17,8 @@ updates:
  directory: /
  schedule:
    interval: weekly
+  cooldown:
+    default-days: 7
  groups:
    cargo-updates:
      dependency-type: production
--- a/.github/workflows/ci-actions.yaml
+++ b/.github/workflows/ci-actions.yaml
@@ -14,8 +14,11 @@ jobs:
    name: zizmor
    runs-on: ubuntu-latest
    permissions:
+      # write is needed to upload security events to GitHub code scanning.
      security-events: write
+      # we only need to read the contents of the repository.
      contents: read
+      # we only need to read the action metadata.
      actions: read
    steps:
    - name: harden runner
@@ -34,10 +37,10 @@ jobs:
    - name: zizmor
      run: uvx zizmor --pedantic --format sarif . > results.sarif
      env:
-        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

    - name: upload
-      uses: github/codeql-action/upload-sarif@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4
+      uses: github/codeql-action/upload-sarif@16140ae1a102900babc80a33c44059580f687047 # v4
      with:
        sarif_file: results.sarif
        category: zizmor
--- a/.github/workflows/ci-code.yaml
+++ b/.github/workflows/ci-code.yaml
@@ -9,6 +9,7 @@ on:
    - main

 permissions:
+  # we only need to read the contents of the repository.
  contents: read

 jobs:
--- a/.github/workflows/release-assets.yaml
+++ b/.github/workflows/release-assets.yaml
@@ -12,6 +12,7 @@ jobs:
  assets:
    name: assets
    permissions:
+      # write is needed to upload release artifacts.
      contents: write
    runs-on: ubuntu-latest
    steps:
@@ -34,7 +35,8 @@ jobs:
      run: ./hack/assemble.sh

    - name: 'upload release artifacts'
-      run: ./hack/ci/upload-release-assets.sh "${{ github.event.release.tag_name }}"
+      run: ./hack/ci/upload-release-assets.sh
      env:
        GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+        RELEASE_TAG: "${{ github.event.release.tag_name }}"
      if: ${{ github.event_name == 'release' }}
--- a/hack/ci/upload-release-assets.sh
+++ b/hack/ci/upload-release-assets.sh
@@ -2,18 +2,19 @@
 set -e

 retry() {
-  for i in $(seq 1 10); do
-    if "${@}"; then
-      return 0
-    else
-      sleep "${i}"
-    fi
-  done
-  "${@}"
+	for i in $(seq 1 10); do
+		if "${@}"; then
+			return 0
+		else
+			sleep "${i}"
+		fi
+	done
+	"${@}"
 }

-TAG="${1}"
-shift
+if [ -z "${RELEASE_TAG}" ]; then
+	exit 1
+fi

 cd target/assemble