ci: zizmor autofix - artipacked + template-injection across workflows

nicktrn · nicktrn · commit cec7bd9761f2 · 2026-05-01T18:31:45.000+01:00
diff --git a/.github/actions/get-image-tag/action.yml b/.github/actions/get-image-tag/action.yml
@@ -23,35 +23,37 @@ runs:
       id: get_tag
       shell: bash
       run: |
-        if [[ -n "${{ inputs.tag }}" ]]; then
-          tag="${{ inputs.tag }}"
-        elif [[ "${{ github.ref_type }}" == "tag" ]]; then
-          if [[ "${{ github.ref_name }}" == infra-*-* ]]; then
-            env=$(echo ${{ github.ref_name }} | cut -d- -f2)
+        if [[ -n "${INPUTS_TAG}" ]]; then
+          tag="${INPUTS_TAG}"
+        elif [[ "${GITHUB_REF_TYPE}" == "tag" ]]; then
+          if [[ "${GITHUB_REF_NAME}" == infra-*-* ]]; then
+            env=$(echo ${GITHUB_REF_NAME} | cut -d- -f2)
             sha=$(echo ${{ github.sha }} | head -c7)
             ts=$(date +%s)
             tag=${env}-${sha}-${ts}
-          elif [[ "${{ github.ref_name }}" == re2-*-* ]]; then
-            env=$(echo ${{ github.ref_name }} | cut -d- -f2)
+          elif [[ "${GITHUB_REF_NAME}" == re2-*-* ]]; then
+            env=$(echo ${GITHUB_REF_NAME} | cut -d- -f2)
             sha=$(echo ${{ github.sha }} | head -c7)
             ts=$(date +%s)
             tag=${env}-${sha}-${ts}
-          elif [[ "${{ github.ref_name }}" == v.docker.* ]]; then
+          elif [[ "${GITHUB_REF_NAME}" == v.docker.* ]]; then
             version="${GITHUB_REF_NAME#v.docker.}"
             tag="v${version}"
-          elif [[ "${{ github.ref_name }}" == build-* ]]; then
+          elif [[ "${GITHUB_REF_NAME}" == build-* ]]; then
             tag="${GITHUB_REF_NAME#build-}"
           else
-            echo "Invalid git tag: ${{ github.ref_name }}"
+            echo "Invalid git tag: ${GITHUB_REF_NAME}"
             exit 1
           fi
-        elif [[ "${{ github.ref_name }}" == "main" ]]; then
+        elif [[ "${GITHUB_REF_NAME}" == "main" ]]; then
           tag="main"
         else
-          echo "Invalid git ref: ${{ github.ref }}"
+          echo "Invalid git ref: ${GITHUB_REF}"
           exit 1
         fi
         echo "tag=${tag}" >> "$GITHUB_OUTPUT"
+      env:
+        INPUTS_TAG: ${{ inputs.tag }}
 
     - name: 🔍 Check for validity
       id: check_validity
diff --git a/.github/workflows/changesets-pr.yml b/.github/workflows/changesets-pr.yml
@@ -28,6 +28,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -84,6 +85,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: changeset-release/main
+          persist-credentials: false
 
       - name: Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
@@ -133,6 +135,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: changeset-release/main
+          persist-credentials: false
 
       - name: Bump Chart.yaml
         run: |
diff --git a/.github/workflows/claude-md-audit.yml b/.github/workflows/claude-md-audit.yml
@@ -30,6 +30,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Run Claude Code
         id: claude
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
@@ -29,6 +29,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 1
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: 📥 Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 📦 Cache npm
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
diff --git a/.github/workflows/e2e-webapp.yml b/.github/workflows/e2e-webapp.yml
@@ -44,6 +44,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -27,6 +27,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: ⎔ Setup pnpm
         uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v5.0.0
diff --git a/.github/workflows/helm-prerelease.yml b/.github/workflows/helm-prerelease.yml
@@ -34,6 +34,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
@@ -78,6 +80,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
@@ -112,7 +116,7 @@ jobs:
             PRERELEASE_VERSION="${BASE_VERSION}-main.${SHORT_SHA}"
           else
             SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
-            REF_SLUG=$(echo "${{ github.ref_name }}" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
+            REF_SLUG=$(echo "${GITHUB_REF_NAME}" | tr '/' '-' | tr -cd 'a-zA-Z0-9-')
             if [[ -z "$REF_SLUG" ]]; then
               REF_SLUG="manual"
             fi
@@ -123,7 +127,9 @@ jobs:
 
       - name: Update Chart.yaml with prerelease version
         run: |
-          sed -i "s/^version:.*/version: ${{ steps.version.outputs.version }}/" ./hosting/k8s/helm/Chart.yaml
+          sed -i "s/^version:.*/version: ${STEPS_VERSION_OUTPUTS_VERSION}/" ./hosting/k8s/helm/Chart.yaml
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Override appVersion
         if: github.event_name == 'workflow_dispatch' && inputs.app_version != ''
@@ -138,26 +144,30 @@ jobs:
 
       - name: Push Helm Chart to GHCR
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
           CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
 
           # Push to GHCR OCI registry
           helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Write run summary
         run: |
           {
             echo "### 🧭 Helm Chart Prerelease Published"
             echo ""
-            echo "**Version:** \`${{ steps.version.outputs.version }}\`"
+            echo "**Version:** \`${STEPS_VERSION_OUTPUTS_VERSION}\`"
             echo ""
             echo "**Install:**"
             echo '```bash'
             echo "helm upgrade --install trigger \\"
             echo "  oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts/${{ env.CHART_NAME }} \\"
-            echo "  --version \"${{ steps.version.outputs.version }}\""
+            echo "  --version \"${STEPS_VERSION_OUTPUTS_VERSION}\""
             echo '```'
           } >> "$GITHUB_STEP_SUMMARY"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Find existing comment
         if: github.event_name == 'pull_request'
diff --git a/.github/workflows/publish-webapp.yml b/.github/workflows/publish-webapp.yml
@@ -30,6 +30,7 @@ jobs:
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: "#️⃣ Get the image tag"
         id: get_tag
@@ -46,28 +47,34 @@ jobs:
         id: set_tags
         run: |
           ref_without_tag=ghcr.io/triggerdotdev/trigger.dev
-          image_tags=$ref_without_tag:${{ steps.get_tag.outputs.tag }}
+          image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           # if tag is a semver, also tag it as v4
-          if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
+          if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
             # TODO: switch to v4 tag on GA
             image_tags=$image_tags,$ref_without_tag:v4-beta
           fi
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
+        env:
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 📝 Set the build info
         id: set_build_info
         run: |
           {
-            tag="${{ steps.get_tag.outputs.tag }}"
-            if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
+            tag="${STEPS_GET_TAG_OUTPUTS_TAG}"
+            if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
               echo "BUILD_APP_VERSION=${tag}"
             fi
             echo "BUILD_GIT_SHA=${{ github.sha }}"
-            echo "BUILD_GIT_REF_NAME=${{ github.ref_name }}"
+            echo "BUILD_GIT_REF_NAME=${GITHUB_REF_NAME}"
             echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)"
           } >> "$GITHUB_OUTPUT"
+        env:
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 🐙 Login to GitHub Container Registry
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
diff --git a/.github/workflows/publish-worker-v4.yml b/.github/workflows/publish-worker-v4.yml
@@ -41,6 +41,8 @@ jobs:
 
       - name: ⬇️ Checkout git repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 📦 Get image repo
         id: get_repository
@@ -63,16 +65,20 @@ jobs:
       - name: 📛 Set tags to push
         id: set_tags
         run: |
-          ref_without_tag=ghcr.io/triggerdotdev/${{ steps.get_repository.outputs.repo }}
-          image_tags=$ref_without_tag:${{ steps.get_tag.outputs.tag }}
+          ref_without_tag=ghcr.io/triggerdotdev/${STEPS_GET_REPOSITORY_OUTPUTS_REPO}
+          image_tags=$ref_without_tag:${STEPS_GET_TAG_OUTPUTS_TAG}
 
           # if tag is a semver, also tag it as v4
-          if [[ "${{ steps.get_tag.outputs.is_semver }}" == true ]]; then
+          if [[ "${STEPS_GET_TAG_OUTPUTS_IS_SEMVER}" == true ]]; then
             # TODO: switch to v4 tag on GA
             image_tags=$image_tags,$ref_without_tag:v4-beta
           fi
 
           echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
+        env:
+          STEPS_GET_REPOSITORY_OUTPUTS_REPO: ${{ steps.get_repository.outputs.repo }}
+          STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
+          STEPS_GET_TAG_OUTPUTS_IS_SEMVER: ${{ steps.get_tag.outputs.is_semver }}
 
       - name: 🐙 Login to GitHub Container Registry
         uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
diff --git a/.github/workflows/publish-worker.yml b/.github/workflows/publish-worker.yml
@@ -29,6 +29,8 @@ jobs:
     steps:
       - name: ⬇️ Checkout git repo
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 📦 Get image repo
         id: get_repository
diff --git a/.github/workflows/release-helm.yml b/.github/workflows/release-helm.yml
@@ -29,6 +29,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
@@ -68,6 +70,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Set up Helm
         uses: azure/setup-helm@dda3372f752e03dde6b3237bc9431cdc2f7a02a2 # v5.0.0
@@ -92,18 +96,20 @@ jobs:
       - name: Extract version from tag or input
         id: version
         run: |
-          if [ -n "${{ inputs.chart_version }}" ]; then
-            VERSION="${{ inputs.chart_version }}"
+          if [ -n "${INPUTS_CHART_VERSION}" ]; then
+            VERSION="${INPUTS_CHART_VERSION}"
           else
-            VERSION="${{ github.ref_name }}"
+            VERSION="${GITHUB_REF_NAME}"
             VERSION="${VERSION#helm-v}"
           fi
           echo "version=$VERSION" >> "$GITHUB_OUTPUT"
           echo "Releasing version: $VERSION"
+        env:
+          INPUTS_CHART_VERSION: ${{ inputs.chart_version }}
 
       - name: Check Chart.yaml version matches release version
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
           CHART_VERSION=$(grep '^version:' ./hosting/k8s/helm/Chart.yaml | awk '{print $2}')
           echo "Chart.yaml version: $CHART_VERSION"
           echo "Release version: $VERSION"
@@ -112,18 +118,22 @@ jobs:
             exit 1
           fi
           echo "✅ Chart.yaml version matches release version."
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Package Helm Chart
         run: |
           helm package ./hosting/k8s/helm/ --destination /tmp/
 
       - name: Push Helm Chart to GHCR
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
+          VERSION="${STEPS_VERSION_OUTPUTS_VERSION}"
           CHART_PACKAGE="/tmp/${{ env.CHART_NAME }}-${VERSION}.tgz"
           
           # Push to GHCR OCI registry
           helm push "$CHART_PACKAGE" "oci://${{ env.REGISTRY }}/${{ github.repository_owner }}/charts"
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Create GitHub Release
         id: release
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
diff --git a/.github/workflows/sdk-compat.yml b/.github/workflows/sdk-compat.yml
diff --git a/.github/workflows/typecheck.yml b/.github/workflows/typecheck.yml
diff --git a/.github/workflows/unit-tests-internal.yml b/.github/workflows/unit-tests-internal.yml
diff --git a/.github/workflows/unit-tests-packages.yml b/.github/workflows/unit-tests-packages.yml
diff --git a/.github/workflows/unit-tests-webapp.yml b/.github/workflows/unit-tests-webapp.yml
