chore(ci): fix issues found by Zizmor (#127)

sd2k · web-flow · commit 6c7abd236a17 · 2025-06-17T17:25:26.000+01:00
diff --git a/.github/workflows/changelog.yml b/.github/workflows/changelog.yml
@@ -2,16 +2,24 @@ name: Ensure CHANGELOG updated
 
 on:
   pull_request:
-    types: [ assigned, opened, synchronize, reopened, labeled, unlabeled ]
-    branches: [ main ]
+    types: [assigned, opened, synchronize, reopened, labeled, unlabeled]
+    branches: [main]
+
+permissions:
+  contents: read
+  checks: write
 
 jobs:
   changelog:
     name: Ensure changelog updated
     runs-on: ubuntu-latest
     steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Changelog check
-        uses: Zomzog/changelog-checker@v1.2.0
+        uses: Zomzog/changelog-checker@564f4aa7a062e7498bd253f616569f02fb024c06 # v1.2.0
         with:
           fileName: CHANGELOG.md
           noChangelogLabel: no-changelog
diff --git a/.github/workflows/rust.yml b/.github/workflows/rust.yml
@@ -2,23 +2,28 @@ name: Rust
 
 on:
   push:
-    branches: [ main ]
+    branches: [main]
   pull_request:
-    branches: [ main ]
+    branches: [main]
 
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   check:
     name: Check
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Rust toolchain
-        uses: moonrepo/setup-rust@v1
+        uses: moonrepo/setup-rust@ede6de059f8046a5e236c94046823e2af11ca670 # v1.2.2
 
       - name: Run cargo check
         run: cargo check --features reqwest --all-targets
@@ -28,10 +33,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Rust toolchain
-        uses: moonrepo/setup-rust@v1
+        uses: moonrepo/setup-rust@ede6de059f8046a5e236c94046823e2af11ca670 # v1.2.2
 
       - name: Run cargo test
         run: cargo test --features reqwest --all-targets
@@ -41,10 +48,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Rust toolchain
-        uses: moonrepo/setup-rust@v1
+        uses: moonrepo/setup-rust@ede6de059f8046a5e236c94046823e2af11ca670 # v1.2.2
         with:
           components: rustfmt
 
@@ -56,10 +65,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Rust toolchain
-        uses: moonrepo/setup-rust@v1
+        uses: moonrepo/setup-rust@ede6de059f8046a5e236c94046823e2af11ca670 # v1.2.2
         with:
           components: clippy
 
@@ -73,10 +84,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout sources
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Install Rust toolchain
-        uses: moonrepo/setup-rust@v1
+        uses: moonrepo/setup-rust@ede6de059f8046a5e236c94046823e2af11ca670 # v1.2.2
 
       - name: Run cargo doc
         run: cargo doc --no-deps --features reqwest --document-private-items
diff --git a/.github/workflows/rustdoc.yml b/.github/workflows/rustdoc.yml
@@ -1,36 +1,41 @@
 name: rustdoc
 on:
   push:
-   branches:
-   - main
+    branches:
+      - main
 
 env:
   CARGO_INCREMENTAL: 0
   CARGO_NET_RETRY: 10
   RUSTDOCFLAGS: "-D warnings -W unreachable-pub --cfg docsrs"
   RUSTUP_MAX_RETRIES: 10
 
+permissions:
+  contents: read
+
 jobs:
   rustdoc:
     runs-on: ubuntu-latest
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v4
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
-    - name: Install Rust toolchain
-      uses: moonrepo/setup-rust@v1
-      with:
-        channel: nightly
-        components: rustfmt, rust-src
+      - name: Install Rust toolchain
+        uses: moonrepo/setup-rust@ede6de059f8046a5e236c94046823e2af11ca670 # v1.2.2
+        with:
+          channel: nightly
+          components: rustfmt, rust-src
 
-    - name: Build Documentation
-      run: cargo +nightly doc --no-deps --features reqwest
+      - name: Build Documentation
+        run: cargo +nightly doc --no-deps --features reqwest
 
-    - name: Deploy Docs
-      uses: peaceiris/actions-gh-pages@v4.0.0
-      with:
-        personal_token: ${{ secrets.GITHUB_TOKEN }}
-        publish_branch: gh-pages
-        publish_dir: ./target/doc
-        force_orphan: true
+      - name: Deploy Docs
+        uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
+        with:
+          personal_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_branch: gh-pages
+          publish_dir: ./target/doc
+          force_orphan: true
diff --git a/crates/grafana-plugin-sdk/src/backend/mod.rs b/crates/grafana-plugin-sdk/src/backend/mod.rs
@@ -733,7 +733,11 @@ where
 {
     // Grafana sometimes sends an empty string instead of an empty map, probably
     // because of some zero value Golang stuff?
-    let jdoc = jdoc.is_empty().then(|| b"{}".as_slice()).unwrap_or(jdoc);
+    let jdoc = if jdoc.is_empty() {
+        b"{}".as_slice()
+    } else {
+        jdoc
+    };
     serde_json::from_slice(jdoc)
 }
 
diff --git a/crates/grafana-plugin-sdk/src/backend/tracing_fmt.rs b/crates/grafana-plugin-sdk/src/backend/tracing_fmt.rs
@@ -273,11 +273,9 @@ impl<'a> io::Write for WriteAdaptor<'a> {
         let s =
             std::str::from_utf8(buf).map_err(|e| io::Error::new(io::ErrorKind::InvalidData, e))?;
 
-        self.fmt_write
-            .write_str(s)
-            .map_err(|e| io::Error::new(io::ErrorKind::Other, e))?;
+        self.fmt_write.write_str(s).map_err(io::Error::other)?;
 
-        Ok(s.as_bytes().len())
+        Ok(s.len())
     }
 
     fn flush(&mut self) -> io::Result<()> {
diff --git a/crates/grafana-plugin-sdk/src/lib.rs b/crates/grafana-plugin-sdk/src/lib.rs
@@ -24,7 +24,7 @@ the [crate examples] or [sample app repo] to get started with writing a backend
 The following feature flags enable additional functionality for this crate:
 
 - `reqwest` - adds an [`IntoHttpResponse`][crate::backend::IntoHttpResponse] implementation for
-   [`reqwest::Response`]
+  [`reqwest::Response`]
 
 [Backend plugins on grafana.com]: https://grafana.com/docs/grafana/latest/developers/plugins/backend/
 [Grafana Live]: https://grafana.com/docs/grafana/latest/live/
diff --git a/rust-toolchain.toml b/rust-toolchain.toml
@@ -1,3 +1,3 @@
 [toolchain]
-channel = "1.81.0"
+channel = "1.87.0"
 components = ["rustfmt", "clippy", "rust-analyzer"]

Original file line number	Diff line number	Diff line change
`@@ -733,7 +733,11 @@ where`
`733`	`733`	`{`
`734`	`734`	`// Grafana sometimes sends an empty string instead of an empty map, probably`
`735`	`735`	`// because of some zero value Golang stuff?`
`736`		`- let jdoc = jdoc.is_empty().then(\|\| b"{}".as_slice()).unwrap_or(jdoc);`
	`736`	`+ let jdoc = if jdoc.is_empty() {`
	`737`	`+ b"{}".as_slice()`
	`738`	`+ } else {`
	`739`	`+ jdoc`
	`740`	`+ };`
`737`	`741`	`serde_json::from_slice(jdoc)`
`738`	`742`	`}`
`739`	`743`