Skip to content

Commit ef03469

Browse files
anthony-nhsanthony-nhs
committed
fix workflows
1 parent 1741809 commit ef03469

3 files changed

Lines changed: 28 additions & 12 deletions

File tree

.github/workflows/quality-checks-devcontainer.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,7 @@ jobs:
4646
with:
4747
ref: ${{ env.BRANCH_NAME }}
4848
fetch-depth: 0
49+
persist-credentials: false
4950

5051
- &setup_npmrc
5152
name: Setting up .npmrc

.github/workflows/tag-release-devcontainer.yml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,6 +128,7 @@ jobs:
128128
release.config.cjs
129129
releaseNotesTemplates/commit.hbs
130130
packages/
131+
persist-credentials: false
131132
- name: Install semantic release dependencies globally
132133
run: |
133134
cd common_workflow_config

zizmor.yml

Lines changed: 26 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -4,30 +4,44 @@ rules:
44
days: 3
55
secrets-outside-env:
66
ignore:
7-
# this workflow uses secrets outside of an environment
7+
# these workflows use secrets outside of an environment because it is passed into the workflow
88
- tag-release-devcontainer.yml:108:39
99
- tag-release-devcontainer.yml:228:34
1010
- tag-release-devcontainer.yml:234:35
1111
- tag-release-devcontainer.yml:240:34
1212
- tag-release-devcontainer.yml:248:35
1313
- update-dev-container-version.yml:135:24
1414
- update-dev-container-version.yml:136:29
15-
- quality-checks-devcontainer.yml:210:28
16-
- quality-checks-devcontainer.yml:203:28
17-
- quality-checks-devcontainer.yml:190:29
15+
- quality-checks-devcontainer.yml:211:28
16+
- quality-checks-devcontainer.yml:204:28
17+
- quality-checks-devcontainer.yml:191:29
1818
- dependabot-auto-approve-and-merge.yml:24:31
1919
- dependabot-auto-approve-and-merge.yml:25:36
20-
- tag-release-devcontainer.yml:229:34
21-
- tag-release-devcontainer.yml:235:35
22-
- tag-release-devcontainer.yml:241:34
23-
- tag-release-devcontainer.yml:249:35
20+
- tag-release-devcontainer.yml:230:34
21+
- tag-release-devcontainer.yml:236:35
22+
- tag-release-devcontainer.yml:242:34
23+
- tag-release-devcontainer.yml:250:35
2424
- update-dev-container-version.yml:136:24
2525
- update-dev-container-version.yml:137:29
26+
- update-dev-container-version.yml:133:24
27+
- update-dev-container-version.yml:134:29
2628
unpinned-images:
29+
# these workflows use unpinned images because they are using a full image passed in that contains the tag
2730
ignore:
2831
- quality-checks-devcontainer.yml:32:7
29-
- quality-checks-devcontainer.yml:215:7
30-
- quality-checks-devcontainer.yml:285:7
31-
- quality-checks-devcontainer.yml:328:7
32+
- quality-checks-devcontainer.yml:216:7
33+
- quality-checks-devcontainer.yml:286:7
34+
- quality-checks-devcontainer.yml:329:7
3235
- tag-release-devcontainer.yml:89:13
33-
- quality-checks-devcontainer.yml:330:7
36+
- quality-checks-devcontainer.yml:331:7
37+
excessive-permissions:
38+
# these are possible excessive permissions but need time to work out if they are actually excessive or not
39+
ignore:
40+
- pull_request.yml:1:1
41+
- pull_request.yml:11:3
42+
- pull_request.yml:18:3
43+
- pull_request.yml:21:3
44+
- pull_request.yml:26:3
45+
- release.yml:1:1
46+
- release.yml:11:3
47+
- release.yml:13:3

0 commit comments

Comments
 (0)