2020 default : false
2121
2222# Declare default permissions as read only.
23- permissions : read-all
23+ permissions :
24+ contents : read
2425
2526jobs :
2627 # Detect which files changed to run appropriate checks
@@ -35,11 +36,20 @@ jobs:
3536 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
3637 with :
3738 fetch-depth : 0
39+ persist-credentials : false
3840 - name : Detect changed files
3941 id : changed-files
42+ env :
43+ RUN_ALL : ${{ inputs.run_all }}
44+ EVENT_NAME : ${{ github.event_name }}
45+ PR_LABELS : ${{ toJson(github.event.pull_request.labels.*.name) }}
46+ EVENT_ACTION : ${{ github.event.action }}
47+ EVENT_LABEL_NAME : ${{ github.event.label.name }}
48+ PR_BASE_SHA : ${{ github.event.pull_request.base.sha }}
49+ EVENT_BEFORE : ${{ github.event.before }}
4050 run : |
4151 # If run_all input is true (from workflow_call or workflow_dispatch), run everything
42- if [ "${{ inputs.run_all }} " = "true" ]; then
52+ if [ "$RUN_ALL " = "true" ]; then
4353 echo "run_all=true, running all checks"
4454 echo "go=true" >> $GITHUB_OUTPUT
4555 echo "rust=true" >> $GITHUB_OUTPUT
4858 fi
4959
5060 # Check for CI trigger labels on PRs
51- if [ "${{ github.event_name }} " = "pull_request" ]; then
52- LABELS='${{ toJson(github.event.pull_request.labels.*.name) }}'
61+ if [ "$EVENT_NAME " = "pull_request" ]; then
62+ LABELS="$PR_LABELS"
5363 echo "PR Labels: $LABELS"
5464
5565 if echo "$LABELS" | grep -q "ci-full"; then
7181 fi
7282
7383 # If triggered by label event and we found a matching label, skip path detection
74- if [ "${{ github.event.action }} " = "labeled" ]; then
75- LABEL_NAME='${{ github.event.label.name }}'
84+ if [ "$EVENT_ACTION " = "labeled" ]; then
85+ LABEL_NAME="$EVENT_LABEL_NAME"
7686 if [ "$LABEL_NAME" = "ci-full" ] || [ "$LABEL_NAME" = "ci-go" ] || [ "$LABEL_NAME" = "ci-rust" ]; then
7787 echo "Triggered by label event, skipping path detection"
7888 exit 0
@@ -81,11 +91,11 @@ jobs:
8191 fi
8292
8393 # Determine base ref for comparison
84- if [ "${{ github.event_name }} " = "pull_request" ]; then
85- BASE_REF="${{ github.event.pull_request.base.sha }} "
94+ if [ "$EVENT_NAME " = "pull_request" ]; then
95+ BASE_REF="$PR_BASE_SHA "
8696 else
8797 # For push events, compare with previous commit
88- BASE_REF="${{ github.event.before }} "
98+ BASE_REF="$EVENT_BEFORE "
8999 # If first push to branch, compare with parent
90100 if [ "$BASE_REF" = "0000000000000000000000000000000000000000" ]; then
91101 BASE_REF="HEAD^"
@@ -124,6 +134,8 @@ jobs:
124134 runs-on : ubuntu-latest
125135 steps :
126136 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
137+ with :
138+ persist-credentials : false
127139 - uses : actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
128140 with :
129141 go-version : " 1.26"
@@ -132,7 +144,7 @@ jobs:
132144 - name : Upload Go test coverage to Codecov
133145 uses : codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
134146 env :
135- CODECOV_TOKEN : ${{ secrets.CODECOV_ORG_TOKEN }}
147+ CODECOV_TOKEN : ${{ secrets.CODECOV_ORG_TOKEN }} # zizmor: ignore[secrets-outside-env]
136148 with :
137149 name : go-tests
138150 files : coverage/cover.out
@@ -146,6 +158,8 @@ jobs:
146158 runs-on : ubuntu-latest
147159 steps :
148160 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
161+ with :
162+ persist-credentials : false
149163 - uses : actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
150164 with :
151165 go-version : " 1.26"
@@ -159,6 +173,8 @@ jobs:
159173 runs-on : ubuntu-latest
160174 steps :
161175 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
176+ with :
177+ persist-credentials : false
162178 - uses : actions/setup-go@4b73464bb391d4059bd26b0524d20df3927bd417 # v6.3.0
163179 with :
164180 go-version : " 1.26"
@@ -179,6 +195,8 @@ jobs:
179195 steps :
180196 - name : Checkout
181197 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
198+ with :
199+ persist-credentials : false
182200
183201 - name : List crate folders
184202 id : set-matrix
@@ -195,9 +213,13 @@ jobs:
195213 matrix : ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}}
196214 steps :
197215 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
216+ with :
217+ persist-credentials : false
198218 - name : " Run cargo fmt"
219+ env :
220+ CRATE : ${{ matrix.crate }}
199221 run : |
200- make -C crates/${{ matrix.crate }} fmt
222+ make -C crates/$CRATE fmt
201223
202224clippy-rust-per-crate :
203225 needs : calculate-crates-matrix
@@ -207,9 +229,13 @@ jobs:
207229 matrix : ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}}
208230 steps :
209231 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
232+ with :
233+ persist-credentials : false
210234 - name : " Run cargo clippy"
235+ env :
236+ CRATE : ${{ matrix.crate }}
211237 run : |
212- make -C crates/${{ matrix.crate }} lint
238+ make -C crates/$CRATE lint
213239
214240unit-tests-rust-per-crate :
215241 needs : calculate-crates-matrix
@@ -219,9 +245,13 @@ jobs:
219245 matrix : ${{fromJson(needs.calculate-crates-matrix.outputs.matrix)}}
220246 steps :
221247 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
248+ with :
249+ persist-credentials : false
222250 - name : " Run cargo test"
251+ env :
252+ CRATE : ${{ matrix.crate }}
223253 run : |
224- make -C crates/${{ matrix.crate }} unit-tests
254+ make -C crates/$CRATE unit-tests
225255
226256integration-tests-burrego :
227257 needs : [changes, calculate-crates-matrix]
@@ -230,6 +260,8 @@ jobs:
230260 runs-on : ubuntu-latest
231261 steps :
232262 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
263+ with :
264+ persist-credentials : false
233265 - name : Install opa
234266 uses : kubewarden/github-actions/opa-installer@f301a7874dd642510fff54a89e4329881bf871ef # v4.6.0
235267 with :
@@ -246,6 +278,8 @@ jobs:
246278 runs-on : ubuntu-latest
247279 steps :
248280 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
281+ with :
282+ persist-credentials : false
249283 - name : Run e2e tests
250284 run : make -C crates/kwctl e2e-tests
251285
@@ -256,6 +290,8 @@ jobs:
256290 runs-on : ubuntu-latest
257291 steps :
258292 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
293+ with :
294+ persist-credentials : false
259295 - name : Prepare sigstore environment for testing
260296 uses : ./.github/actions/setup-sigstore-env
261297 - name : Run kwctl Sigstore E2E tests
@@ -268,6 +304,8 @@ jobs:
268304 runs-on : ubuntu-latest
269305 steps :
270306 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
307+ with :
308+ persist-credentials : false
271309 - name : Prepare sigstore environment for testing
272310 uses : ./.github/actions/setup-sigstore-env
273311 - name : Run policy-server Sigstore E2E tests
@@ -280,6 +318,8 @@ jobs:
280318 runs-on : ubuntu-latest
281319 steps :
282320 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
321+ with :
322+ persist-credentials : false
283323 - name : Run integration tests
284324 run : make -C crates/policy-server integration-tests
285325
@@ -290,6 +330,8 @@ jobs:
290330 runs-on : ubuntu-latest
291331 steps :
292332 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
333+ with :
334+ persist-credentials : false
293335 - name : Build kwctl
294336 run : make -C crates/kwctl build-release
295337 - name : Setup kwctl
@@ -309,6 +351,8 @@ jobs:
309351 continue-on-error : true
310352 steps :
311353 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
354+ with :
355+ persist-credentials : false
312356 - name : Install cargo-llvm-cov
313357 uses : taiki-e/install-action@06203676c62f0d3c765be3f2fcfbebbcb02d09f5 # v2.69.6
314358 with :
@@ -319,7 +363,7 @@ jobs:
319363 - name : Upload Rust test coverage to Codecov
320364 uses : codecov/codecov-action@1af58845a975a7985b0beb0cbe6fbbb71a41dbad # v5.5.3
321365 env :
322- CODECOV_TOKEN : ${{ secrets.CODECOV_ORG_TOKEN }}
366+ CODECOV_TOKEN : ${{ secrets.CODECOV_ORG_TOKEN }} # zizmor: ignore[secrets-outside-env]
323367 with :
324368 name : rust-tests
325369 files : coverage/lcov.info
@@ -344,6 +388,8 @@ jobs:
344388 steps :
345389 - name : Checkout
346390 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
391+ with :
392+ persist-credentials : false
347393 - run : shellcheck $(find scripts/ -name '*.sh')
348394
349395 spelling :
@@ -352,6 +398,8 @@ jobs:
352398 steps :
353399 - name : Checkout
354400 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
401+ with :
402+ persist-credentials : false
355403 - name : Check spelling with typos
356404 uses : crate-ci/typos@631208b7aac2daa8b707f55e7331f9112b0e062d # v1.44.0
357405
@@ -360,6 +408,8 @@ jobs:
360408 runs-on : ubuntu-latest
361409 steps :
362410 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
411+ with :
412+ persist-credentials : false
363413 - name : Install helm
364414 uses : azure/setup-helm@1a275c3b69536ee54be43f2070a358922e12c8d4 # v4.3.1
365415 # Disable plugin verification until the following issue is addressed https://github.com/helm-unittest/helm-unittest/issues/777
@@ -377,6 +427,8 @@ jobs:
377427 runs-on : ubuntu-latest
378428 steps :
379429 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
430+ with :
431+ persist-credentials : false
380432 - name : Run validation script
381433 run : ./scripts/validate-hauler-manifest.sh
382434
@@ -388,6 +440,8 @@ jobs:
388440 steps :
389441 - name : Checkout
390442 uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
443+ with :
444+ persist-credentials : false
391445
392446 - run : |
393447 make -C crates/kwctl build-docs
@@ -406,6 +460,8 @@ jobs:
406460 runs-on : ${{ matrix.os }}
407461 steps :
408462 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
463+ with :
464+ persist-credentials : false
409465
410466 - name : enable git long paths on Windows
411467 if : matrix.os == 'windows-latest'
0 commit comments