zizmor: Apply more lints

2026-04-21 15:10:27 +00:00 · 2026-03-30 01:55:32 +09:00
parent fd0f63e180
commit 41213fbc0e
5 changed files with 28 additions and 30 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,7 +51,8 @@ jobs:
      contents: write # for creating branch for pr
      pull-requests: write # unused (used in `codegen-automerge: true` case)
      security-events: write # for github/codeql-action/*
-    secrets: inherit
+    secrets:
+      PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }}

  test:
    strategy:
@@ -99,7 +100,11 @@ jobs:
      - run: rm -- Cargo.toml
      - name: Generate tool list
        id: tool-list
-        run: tools/ci/tool-list.sh "${{ matrix.tool }}" "${{ matrix.os }}" "${{ matrix.bash }}" >>"${GITHUB_OUTPUT}"
+        run: tools/ci/tool-list.sh "${TOOL}" "${OS}" "${BASH}" >>"${GITHUB_OUTPUT}"
+        env:
+          TOOL: ${{ matrix.tool }}
+          OS: ${{ matrix.os }}
+          BASH: ${{ matrix.bash }}
      - run: |
          printf '%s\n' 'C:\msys64\mingw32\bin' >>"${GITHUB_PATH}"
          printf '%s\n' 'C:\msys64\usr\bin' >>"${GITHUB_PATH}"
@@ -264,7 +269,7 @@ jobs:
          sed -i /etc/yum.repos.d/*.repo -e 's!^mirrorlist!#mirrorlist!' \
            -e 's!^#baseurl=http://mirror.centos.org/!baseurl=https://vault.centos.org/!'
          sed -i 's/enabled=1/enabled=0/' /etc/yum/pluginconf.d/fastestmirror.conf
-          if [[ "${{ matrix.container }}" == "centos:6" ]]; then
+          if [[ "${CONTAINER}" == "centos:6" ]]; then
            # CentOS 6's curl (7.19.7) has no curl has no --proto/--tlsv1.2.
            yum install -y gcc openssl-devel
            curl -fsSL --retry 10 https://curl.se/download/curl-7.34.0.tar.gz | tar xzf -
@@ -278,13 +283,17 @@ jobs:
              https://vault.ius.io/el6/x86_64/packages/p/perl-Git18-1.8.5.5-4.ius.el6.noarch.rpm \
              https://vault.ius.io/el6/x86_64/packages/g/git18-1.8.5.5-4.ius.el6.x86_64.rpm
          fi
+        env:
+          CONTAINER: ${{ matrix.container }}
        if: startsWith(matrix.container, 'centos')
      - uses: taiki-e/checkout-action@v1
      # cross attempts to install rust-src when Cargo.toml is available even if `cross --version`
      - run: rm -- Cargo.toml
      - name: Generate tool list
        id: tool-list
-        run: tools/ci/tool-list.sh "" "${{ matrix.container }}" >>"${GITHUB_OUTPUT}"
+        run: tools/ci/tool-list.sh "" "${CONTAINER}" >>"${GITHUB_OUTPUT}"
+        env:
+          CONTAINER: ${{ matrix.container }}
      # remove bash installed by checkout-action
      - run: apk --no-cache del bash
        shell: sh
--- a/.github/workflows/manifest.yml
+++ b/.github/workflows/manifest.yml
@@ -37,7 +37,8 @@ jobs:
    permissions:
      contents: write # for creating branch for pr
      pull-requests: write # for gh pr review --approve
-    secrets: inherit
+    secrets:
+      PR_TOKEN_APP_PRIVATE_KEY: ${{ secrets.PR_TOKEN_APP_PRIVATE_KEY }}
    with:
      script: tools/manifest.sh
      commit-script: tools/ci/manifest.sh
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,10 @@ defaults:
  run:
    shell: bash --noprofile --norc -CeEuxo pipefail {0}

+concurrency:
+  group: ${{ github.workflow }}
+  cancel-in-progress: false
+
 jobs:
  prepare:
    if: github.repository_owner == 'taiki-e' && inputs.target == 'install-action'
@@ -435,7 +439,8 @@ jobs:
      contents: write # for taiki-e/create-gh-release-action
      id-token: write # for rust-lang/crates-io-auth-action
      attestations: write # unused (used when options for uploading binaries are set)
-    secrets: inherit
+    secrets:
+      PUSH_TOKEN: ${{ secrets.PUSH_TOKEN }}
    with:
      version: ${{ inputs.version }}
      tag-prefix: install-action-manifest-schema-
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -2,7 +2,7 @@
 # https://docs.zizmor.sh/configuration/

 rules:
-  secrets-inherit: { disable: true }
+  anonymous-definition: { disable: true }
  unpinned-uses:
    config:
      policies:
--- a/tools/tidy.sh
+++ b/tools/tidy.sh
@@ -86,11 +86,6 @@ check_config() {
 check_install() {
  for tool in "$@"; do
    if ! type -P "${tool}" >/dev/null; then
-      if [[ "${tool}" == 'python3' ]]; then
-        if type -P python >/dev/null; then
-          continue
-        fi
-      fi
      error "'${tool}' is required to run this check"
      return 1
    fi
@@ -132,10 +127,6 @@ EOF
  exit 1
 fi

-py_suffix=''
-if type -P python3 >/dev/null; then
-  py_suffix=3
-fi
 yq() { uvx yq "$@"; }
 tomlq() { uvx --from yq tomlq "$@"; }
 case "$(uname -s)" in
@@ -700,7 +691,7 @@ elif check_install shellcheck; then
    # Exclude SC2096 due to the way the temporary script is created.
    shellcheck_exclude=SC2096
    info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in \`\$(git ls-files '*Dockerfile*')\`"
-    if check_install jq python3 parse-dockerfile; then
+    if check_install jq parse-dockerfile; then
      shellcheck_for_dockerfile() {
        local text=$1
        local shell=$2
@@ -833,7 +824,7 @@ elif check_install shellcheck; then
    # Exclude SC2096 due to the way the temporary script is created.
    shellcheck_exclude=SC2086,SC2096,SC2129
    info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in .github/workflows/*.yml and **/action.yml"
-    if check_install jq python3 uv; then
+    if check_install jq uv; then
      shellcheck_for_gha() {
        local text=$1
        local shell=$2
@@ -846,16 +837,8 @@ elif check_install shellcheck; then
          *) return ;;
        esac
        text="#!/usr/bin/env ${shell%' {0}'}"$'\n'"${text}"
-        # Use python because sed doesn't support .*?.
-        text=$(
-          "python${py_suffix}" - <<EOF
-import re
-text = re.sub(r"\\\${{.*?}}", "\${__GHA_SYNTAX__}", r'''${text}''')
-print(text)
-EOF
-        )
        case "${ostype}" in
-          windows) text=${text//$'\r'/} ;; # Python print emits \r\n.
+          windows) text=${text//$'\r'/} ;; # Parse error on git bash/msys2 bash.
        esac
        local color=auto
        if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
@@ -989,11 +972,11 @@ if [[ ${#zizmor_targets[@]} -gt 0 ]]; then
    warn "this check is skipped on NetBSD/OpenBSD/Dragonfly/illumos/Solaris due to installing zizmor is hard on these platform"
  elif check_install zizmor; then
    # zizmor can also be used via uvx, but old version will be installed if glibc version is old.
-    # Do not use `zizmor -q .` here because it also attempts to check submodules.
+    # Do not use `zizmor .` here because it also attempts to check submodules.
    IFS=' '
-    info "running \`zizmor -q ${zizmor_targets[*]}\`"
+    info "running \`zizmor -q --pedantic ${zizmor_targets[*]}\`"
    IFS=$'\n\t'
-    zizmor -q "${zizmor_targets[@]}"
+    zizmor -q --pedantic "${zizmor_targets[@]}"
  fi
 fi
 printf '\n'