CI: Fix and enable scanning GitHub Actions with actionlint and zizmor (OSGeo#6296)

Author: echoix

.github/actions/create-upload-suggestions/action.yml

@@ -145,7 +145,9 @@ runs:
     - name: List all changed files tracked and untracked files
       shell: bash
       run: |
-        echo "Changed files: ${{ steps.git-changed-files.outputs.CHANGED_FILES }}"
+        echo "Changed files: ${CHANGED_FILES}"
+      env:
+        CHANGED_FILES: ${{ steps.git-changed-files.outputs.CHANGED_FILES }}
     - name: Add job summary without changed files
       shell: bash
       if: ${{ steps.files_changed.outputs.files_changed == 'false' }}

.github/workflows/additional_checks.yml

@@ -23,6 +23,8 @@ jobs:
   additional-checks:
     name: Additional checks
     runs-on: ubuntu-24.04
+    permissions:
+      contents: read
 
     steps:
       - name: Checkout repository contents
@@ -37,6 +39,10 @@ jobs:
           python-version: "3.13"
       - name: Install uv and restore its cache
         uses: astral-sh/setup-uv@557e51de59eb14aaaba2ed9621916900a91d50c6 # v6.6.1
+        with:
+          # To not have the last commit JSON and release notes files affected on
+          # releases, if copying the contents displayed in the CI logs.
+          enable-cache: false
 
       - name: Check that files with the same content are the same
         run: |
@@ -56,11 +62,12 @@ jobs:
           # Using the last 30 commits (for branches, tags, and PRs).
           # End is the current (latest) commit.
           python ./utils/generate_release_notes.py log \
-              ${{ github.ref_name }} \
-              $(git rev-parse HEAD~30) \
+              "${GITHUB_REF_NAME}" \
+              "$(git rev-parse HEAD~30)" \
               ""
       - name: "Cache pre-commit"
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        # Not used for releases, only for running pre-commit
+        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4  # zizmor: ignore[cache-poisoning]
         with:
           path: ~/.cache/pre-commit
           key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}

.github/workflows/cmake.yml

@@ -26,21 +26,21 @@ jobs:
   build-cmake:
     runs-on: ubuntu-22.04
     env:
-      CMakeVersion: "3.22.0"
+      CMAKE_VERSION: "3.22.0"
     steps:
       - name: Checkout GRASS
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Install CMake
         run: |
-          cd ${GITHUB_WORKSPACE}
-          arch=$(echo $(uname -s)-$(uname -m) | awk '{print tolower($0)}')
-          v=v${{ env.CMakeVersion }}/cmake-${{ env.CMakeVersion }}-${arch}.tar.gz
-          wget https://github.com/Kitware/CMake/releases/download/$v
-          tar xzf cmake-${{ env.CMakeVersion }}-${arch}.tar.gz
-          echo "CMAKE_DIR=$GITHUB_WORKSPACE/cmake-${{ env.CMakeVersion }}-${arch}/bin" >> $GITHUB_ENV
-          echo "$GITHUB_WORKSPACE/cmake-${{ env.CMakeVersion }}-${arch}/bin" >> $GITHUB_PATH
+          cd "${GITHUB_WORKSPACE}" || exit
+          arch="$(echo "$(uname -s)"-"$(uname -m)" | awk '{print tolower($0)}')"
+          v="v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-${arch}.tar.gz"
+          wget "https://github.com/Kitware/CMake/releases/download/$v"
+          tar xzf "cmake-${CMAKE_VERSION}-${arch}.tar.gz"
+          echo "CMAKE_DIR=${GITHUB_WORKSPACE}/cmake-${CMAKE_VERSION}-${arch}/bin" >> "${GITHUB_ENV}"
+          echo "${GITHUB_WORKSPACE}/cmake-${CMAKE_VERSION}-${arch}/bin" >> "${GITHUB_PATH}"
       - run: |
           cmake --version
       - name: Install dependencies
@@ -58,25 +58,25 @@ jobs:
           ldd --version
       - name: Create installation directory
         run: |
-          mkdir $HOME/install
+          mkdir "${HOME}/install"
       - name: Configure
         run: |
-          cmake ${CMAKE_OPTIONS} -S $GITHUB_WORKSPACE -B $GITHUB_WORKSPACE/build -G Ninja \
-            -DCMAKE_INSTALL_PREFIX=$HOME/install -DWITH_NLS=ON -DWITH_GUI=OFF -DWITH_DOCS=OFF \
+          cmake -S "${GITHUB_WORKSPACE}" -B "${GITHUB_WORKSPACE}/build" -G Ninja \
+            -DCMAKE_INSTALL_PREFIX="${HOME}/install" -DWITH_NLS=ON -DWITH_GUI=OFF -DWITH_DOCS=OFF \
             -DWITH_READLINE=ON -DWITH_ODBC=ON -DWITH_NETCDF=ON -DWITH_BZLIB=ON
       - name: Print CMakeCache.txt
         shell: bash -el {0}
         run: |
-          cat ${GITHUB_WORKSPACE}/build/CMakeCache.txt
+          cat "${GITHUB_WORKSPACE}/build/CMakeCache.txt"
       - name: Build
         run: |
-          cmake --build build --verbose -j$(nproc)
+          cmake --build build --verbose -j"$(nproc)"
       - name: Install
         run: |
-          cmake --install $GITHUB_WORKSPACE/build --verbose
+          cmake --install "${GITHUB_WORKSPACE}/build" --verbose
       - name: Add the bin directory to PATH
         run: |
-          echo "$HOME/install/bin" >> $GITHUB_PATH
+          echo "${HOME}/install/bin" >> "${GITHUB_PATH}"
       - name: Print installed versions
         if: always()
         run: .github/workflows/print_versions.sh

.github/workflows/codeql-analysis.yml

@@ -70,11 +70,11 @@ jobs:
 
       - name: Set LD_LIBRARY_PATH for compilation
         run: |
-          echo "LD_LIBRARY_PATH=${HOME}/install/lib" >> $GITHUB_ENV
+          echo "LD_LIBRARY_PATH=${HOME}/install/lib" >> "${GITHUB_ENV}"
 
       - name: Set number of cores for compilation
         run: |
-          echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV
+          echo "MAKEFLAGS=-j$(nproc)" >> "${GITHUB_ENV}"
 
       - name: Build
         if: ${{ matrix.language == 'c-cpp' }}

.github/workflows/coverity.yml

@@ -30,7 +30,7 @@ jobs:
 
       - name: Create installation directory
         run: |
-          mkdir $HOME/install
+          mkdir "${HOME}/install"
 
       - name: Download Coverity Build Tool
         run: |
@@ -43,11 +43,11 @@ jobs:
 
       - name: Set number of cores for compilation
         run: |
-          echo "MAKEFLAGS=-j$(nproc)" >> $GITHUB_ENV
+          echo "MAKEFLAGS=-j$(nproc)" >> "${GITHUB_ENV}"
 
       - name: Set LD_LIBRARY_PATH for compilation
         run: |
-          echo "LD_LIBRARY_PATH=$HOME/install/lib" >> $GITHUB_ENV
+          echo "LD_LIBRARY_PATH=${HOME}/install/lib" >> "${GITHUB_ENV}"
 
       - name: Print build environment variables
         run: |
@@ -57,11 +57,11 @@ jobs:
 
       - name: Configure
         run: |
-          echo "CFLAGS=${{ env.CFLAGS }}" >> $GITHUB_ENV
-          echo "CXXFLAGS=${{ env.CXXFLAGS }}" >> $GITHUB_ENV
+          echo "CFLAGS=${CFLAGS}" >> "${GITHUB_ENV}"
+          echo "CXXFLAGS=${CXXFLAGS}" >> "${GITHUB_ENV}"
           ./configure \
               --enable-largefile \
-              --prefix="$HOME/install/" \
+              --prefix="${HOME}/install/" \
               --with-blas \
               --with-bzlib \
               --with-cxx \
@@ -87,7 +87,8 @@ jobs:
       - name: Build with cov-build
         run: |
           pwd
-          export PATH="$(pwd)/cov-analysis-linux64/bin:${PATH}"
+          PATH="$(pwd)/cov-analysis-linux64/bin:${PATH}"
+          export PATH
           cov-build --dir cov-int make
 
       - name: Put results into Tarball

.github/workflows/create_release_draft.yml

@@ -41,12 +41,12 @@ jobs:
           python-version: '3.13'
       - name: Create output directory
         run: |
-          mkdir ${{ env.OUT_DIR }}
+          mkdir "${OUT_DIR}"
       - name: Generate ChangeLog file
         run: |
           python utils/gitlog2changelog.py
-          mv ChangeLog ${{ env.OUT_DIR }}/ChangeLog
-          gzip ${{ env.OUT_DIR }}/ChangeLog
+          mv ChangeLog "${OUT_DIR}/ChangeLog"
+          gzip "${OUT_DIR}/ChangeLog"
       - name: Generate Git derived data files
         run: |
           echo "Generate VERSION_GIT file:"
@@ -58,21 +58,21 @@ jobs:
           echo "Create core modules patch file:"
           git add core_modules_with_last_commit.json
           git diff --cached > \
-            ${{ env.OUT_DIR }}/core_modules_with_last_commit.patch
+            "${OUT_DIR}/core_modules_with_last_commit.patch"
       - name: Create tarballs (for tags only)
         if: startsWith(github.ref, 'refs/tags/')
         run: |
           cd ..
-          tar -cvf ${{ env.OUT_DIR }}/${{ env.GRASS }}.tar \
+          tar -cvf "${OUT_DIR}/${GRASS}.tar" \
             --exclude=".gi*" --exclude=".tr*" \
-            --transform s/grass/${{ env.GRASS }}/ grass
-          cd ${{ env.OUT_DIR }}
-          gzip -9k ${{ env.GRASS }}.tar
-          md5sum ${{ env.GRASS }}.tar.gz > ${{ env.GRASS }}.tar.gz.md5
-          sha256sum ${{ env.GRASS }}.tar.gz > ${{ env.GRASS }}.tar.gz.sha256
-          xz -9e ${{ env.GRASS }}.tar
-          md5sum ${{ env.GRASS }}.tar.xz > ${{ env.GRASS }}.tar.xz.md5
-          sha256sum ${{ env.GRASS }}.tar.xz > ${{ env.GRASS }}.tar.xz.sha256
+            --transform s/grass/"${GRASS}"/ grass
+          cd "${OUT_DIR}" || exit
+          gzip -9k "${GRASS}.tar"
+          md5sum "${GRASS}.tar.gz" > "${GRASS}.tar.gz.md5"
+          sha256sum "${GRASS}.tar.gz" > "${GRASS}.tar.gz.sha256"
+          xz -9e "${GRASS}.tar"
+          md5sum "${GRASS}.tar.xz" > "${GRASS}.tar.xz.md5"
+          sha256sum "${GRASS}.tar.xz" > "${GRASS}.tar.xz.sha256"
       - name: Publish draft distribution to GitHub (for tags only)
         if: startsWith(github.ref, 'refs/tags/')
         uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2.3.3

.github/workflows/docker.yml

@@ -105,9 +105,9 @@ jobs:
             || github.ref == format('refs/heads/{0}', steps.tag-branch.outputs.latest_rel_branch)
           }}"
           echo "latest=${latest}" >> "${GITHUB_OUTPUT}"
-          echo "latest is $latest"
+          echo "latest is ${latest}"
           echo "current=${current}" >> "${GITHUB_OUTPUT}"
-          echo "current is $current"
+          echo "current is ${current}"
       - name: Docker meta
         id: meta
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -160,7 +160,9 @@ jobs:
                 && format('type=gha,scope={0}', matrix.os) || '' }}
           cache-to: type=gha,mode=max,scope=${{ matrix.os }}
       - name: Image digest
-        run: echo ${{ steps.docker_build.outputs.digest }}
+        run: echo "${STEPS_DOCKER_BUILD_OUTPUTS_DIGEST}"
+        env:
+          STEPS_DOCKER_BUILD_OUTPUTS_DIGEST: ${{ steps.docker_build.outputs.digest }}
       - name: Attest docker.io image
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
         # If there isn't a digest, an annotation cannot be added

.github/workflows/documentation.yml

@@ -45,20 +45,29 @@ jobs:
           xargs -a <(awk '! /^ *(#|$)/' "grass/.github/workflows/apt.txt") -r -- \
               sudo apt-get install -y --no-install-recommends --no-install-suggests
 
-      - name: Set up Python
+      - name: Set up Python (with cache)
+        if: ${{ contains(fromJSON('["push", "pull_request"]'), github.event_name) }}
+        uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          cache: pip # zizmor: ignore[cache-poisoning] Assuming push event is not used for tags
+
+      - name: Set up Python (no cache, use for release artifacts)
+        if: ${{ !contains(fromJSON('["push", "pull_request"]'), github.event_name) }}
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         with:
           python-version: ${{ env.PYTHON_VERSION }}
-          cache: pip
 
       - name: Set version variables
         run: |
-          cd grass
-          eval $(./utils/update_version.py status --bash)
-          echo "MAJOR=$MAJOR" >> $GITHUB_ENV
-          echo "MINOR=$MINOR" >> $GITHUB_ENV
-          echo "VERSION=$VERSION" >> $GITHUB_ENV
-          echo "YEAR=$YEAR" >> $GITHUB_ENV
+          cd grass || exit
+          eval "$(./utils/update_version.py status --bash)"
+          {
+            echo "MAJOR=${MAJOR}"
+            echo "MINOR=${MINOR}"
+            echo "VERSION=${VERSION}"
+            echo "YEAR=${YEAR}"
+          } >> "${GITHUB_ENV}"
 
       - name: Checkout addons
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -69,13 +78,14 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - name: ccache
+      - name: ccache (do not use for release artifacts)
         uses: hendrikmuhs/ccache-action@bfa03e1de4d7f7c3e80ad9109feedd05c4f5a716 # v1.2.19
+        if: ${{ !contains(fromJSON('["push", "pull_request"]'), github.event_name) }}
         with:
           create-symlink: true
           verbose: 2
           evict-old-files: 7d
-          key: ${{ github.workflow }}-${{ github.job }}-grass${{ env.MAJOR }}-${{ matrix.python-version }}
+          key: ${{ github.workflow }}-${{ github.job }}-grass${{ env.MAJOR }}-${{ env.PYTHON_VERSION }}
 
       - name: Install Python dependencies
         # We install both core and addon dependencies, but we don't install any
@@ -86,6 +96,7 @@ jobs:
           pip install -r grass-addons/.github/workflows/requirements.txt
 
       - uses: rui314/setup-mold@725a8794d15fc7563f59595bd9556495c0564878 # v1
+        if: ${{ !contains(fromJSON('["push", "pull_request"]'), github.event_name) }}
 
       - name: Create installation directory
         run: |
@@ -170,11 +181,11 @@ jobs:
       - name: Compile addons
         run: |
           ./grass-addons/utils/cronjobs_osgeo_lxd/compile_addons_git.sh \
-            "$MAJOR" \
-            "$MINOR" \
-            $(pwd)/grass-addons/src \
-            $(grass --config path) \
-            $(pwd)/addons-build-dir \
+            "${MAJOR}" \
+            "${MINOR}" \
+            "$(pwd)/grass-addons/src" \
+            "$(grass --config path)" \
+            "$(pwd)/addons-build-dir" \
             grass
 
       - name: Get target path for Markdown files
@@ -183,24 +194,27 @@ jobs:
 
       - name: Move from build to target directory
         run: |
-          mkdir "$MKDOCS_DIR/source/addons"
-          mv -v addons-build-dir/docs/md/source/* "$MKDOCS_DIR/source/addons"
+          mkdir "${MKDOCS_DIR}/source/addons"
+          mv -v addons-build-dir/docs/md/source/* "${MKDOCS_DIR}/source/addons"
 
       - name: Build index
         run: |
-          export ARCH="$(grass --config arch)"
-          export ARCH_DISTDIR="$(grass --config path)"
-          export VERSION_NUMBER="$VERSION"
+          ARCH="$(grass --config arch)"
+          ARCH_DISTDIR="$(grass --config path)"
+          export ARCH
+          export ARCH_DISTDIR
+          export VERSION_NUMBER="${VERSION}"
           grass --tmp-project XY --exec \
-            python grass/man/build_full_index.py md index "$MKDOCS_DIR/source/addons" addons
+            python grass/man/build_full_index.py md index "${MKDOCS_DIR}/source/addons" addons
 
       - name: Copy shared files to addons
         run: |
-          cd "$MKDOCS_DIR/source"
+          cd "${MKDOCS_DIR}/source" || exit
           # This should match directories with color tables and other files
           # linked from the pages.
+          # shellcheck disable=SC2010,SC2035 # TODO: Address these two issues
           for name in $(ls -1d */ | grep -vE "^(addons|libpython)/$"); do
-            cp -rv $name addons
+            cp -rv "${name}" addons
           done
 
       - name: Get mkdocs
@@ -209,30 +223,30 @@ jobs:
 
       - name: Run mkdocs
         run: |
-          cd grass
-          eval $(./utils/update_version.py status --bash)
+          cd grass || exit
+          eval "$(./utils/update_version.py status --bash)"
           cd ..
           export SITE_NAME="GRASS $VERSION Documentation"
           export COPYRIGHT="&copy; 2003-$YEAR GRASS Development Team, GRASS $VERSION Documentation"
-          cd $MKDOCS_DIR
+          cd "${MKDOCS_DIR}" || exit
           mkdocs build
 
       - name: Build Sphinx documentation
         run: |
           pip install -r "grass/python/grass/docs/requirements.txt"
-          cd grass
+          cd grass || exit
           make sphinxdoclib
           ARCH="$(grass --config arch)"
-          mv -v dist.$ARCH/docs/html/libpython $MKDOCS_DIR/site
+          mv -v dist."${ARCH}/docs/html/libpython" "${MKDOCS_DIR}/site"
 
       - name: Merge Sphinx and MkDocs Sitemaps
         run: |
-          cd grass
+          cd grass || exit
           python utils/merge_sitemaps.py \
-            --mkdocs-sitemap "$MKDOCS_DIR/site/sitemap.xml" \
-            --sphinx-sitemap "$MKDOCS_DIR/site/libpython/sitemap.xml" \
-            --output "$MKDOCS_DIR/site/sitemap.xml" \
-            --version $VERSION -o
+            --mkdocs-sitemap "${MKDOCS_DIR}/site/sitemap.xml" \
+            --sphinx-sitemap "${MKDOCS_DIR}/site/libpython/sitemap.xml" \
+            --output "${MKDOCS_DIR}/site/sitemap.xml" \
+            --version "${VERSION}" -o
 
       - name: Make logs available
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2