ci: fix zizmor audit findings

MarshallOfSound · MarshallOfSound · commit 69ce06bc1ee2 · 2026-04-02T20:00:54.000Z
diff --git a/.github/workflows/add-to-project.yml b/.github/workflows/add-to-project.yml
@@ -1,6 +1,6 @@
 name: Add to Ecosystem WG Project
 
-on:
+on: # zizmor: ignore[dangerous-triggers] needed to access app creds for fork PRs; no PR code is checked out
   issues:
     types:
       - opened
diff --git a/.github/workflows/auto-fix-lint.yml b/.github/workflows/auto-fix-lint.yml
@@ -22,7 +22,7 @@ jobs:
       with:
         creds: ${{ secrets.GH_APP_CREDS }}
         export-git-user: true
-    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # tag: v4.1.1
+    - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # tag: v4.1.1 # zizmor: ignore[artipacked] persisted token is intentional; needed for the git push step below
       with:
         token: ${{ steps.generate-token.outputs.token }}
     - name: Setup Node.js
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -20,6 +20,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11  # tag: v4.1.1
+      with:
+        persist-credentials: false
     - name: Setup Node.js
       uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65  # tag: v4.0.0
       with:

-Original file line number
+Diff line change
@@ @@ -1,6 +1,6 @@ @@
 name: Add to Ecosystem WG Project
 -on:
 +on: # zizmor: ignore[dangerous-triggers] needed to access app creds for fork PRs; no PR code is checked out
   issues:
     types:
       - opened