fix: zizorm warnings (#1054)

Signed-off-by: Olivier Vernin <me@olblak.com>

Author: olblak

.github/workflows/check-dist.yml

@@ -17,20 +17,29 @@ on:
     paths-ignore:
       - "**.md"
   workflow_dispatch:
+
+permissions: {}
+
 jobs:
   check-dist:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: Set Node.js 24.x
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
           cache: npm
+
       - name: Install dependencies
         run: npm ci
+
       - name: Rebuild the dist/ directory
         run: npm run prepare
+
       - name: Compare the expected and actual dist/ directories
         run: |
           if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
@@ -39,6 +48,7 @@ jobs:
             exit 1
           fi
         id: diff
+
       # If index.js was different than expected, upload the expected version as an artifact
       - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         if: ${{ failure() && steps.diff.conclusion == 'failure' }}

.github/workflows/test.yaml

@@ -17,24 +17,35 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: Set Node.js 24.x
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
           cache: npm
+
       - name: Install Dependencies
         run: npm ci
+
       - name: Run Lint Test
         run: npm run lint
+
       - name: Run tests
         run: npm test
+
   e2e:
     name: Test Updatecli Github Action
     runs-on: ubuntu-latest
     steps:
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: Install Updatecli
         uses: ./
+
       - name: Test local action without install-only
         run: updatecli diff --config testdata/updatecli.d/test.yaml

.github/workflows/updatecli.yaml

@@ -14,10 +14,14 @@ jobs:
     steps:
       - name: "Checkout"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: "Setup updatecli"
         uses: "updatecli/updatecli-action@4b17f4ea784de29f71f85f9bc4955402ba1ae53c" # v2.100.0
         with:
           version: "v0.114.0"
+
       - name: "Run updatecli"
         run: updatecli compose apply --clean-git-branches=true --experimental
         env:

.github/workflows/updatecli_test.yaml

@@ -12,10 +12,14 @@ jobs:
     steps:
       - name: "Checkout"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: "Setup updatecli"
         uses: "updatecli/updatecli-action@4b17f4ea784de29f71f85f9bc4955402ba1ae53c" # v2.100.0
         with:
           version: "v0.114.0"
+
       - name: "Test updatecli in dry-run mode"
         run: "updatecli compose diff"
         env:

.github/workflows/updatecli_update.yaml

@@ -17,10 +17,14 @@ jobs:
     steps:
       - name: "Checkout"
         uses: "actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd" # v6.0.2
+        with:
+          persist-credentials: false
+
       - name: "Setup updatecli"
         uses: "updatecli/updatecli-action@4b17f4ea784de29f71f85f9bc4955402ba1ae53c" # v2.100.0
         with:
           version: "v0.114.0"
+
       - name: "Run updatecli only on monitored pipelines"
         run: updatecli compose apply --clean-git-branches=true --labels="monitoring:enabled" --experimental
         env:
@@ -30,6 +34,7 @@ jobs:
           UPDATECLI_UDASH_API_URL: ${{ secrets.UPDATECLI_UDASH_API_URL }}
           UPDATECLI_UDASH_ACCESS_TOKEN: ${{ secrets.UPDATECLI_UDASH_ACCESS_TOKEN }}
           UPDATECLI_UDASH_URL: ${{ secrets.UPDATECLI_UDASH_URL }}
+
       - name: "Run updatecli only on existing pipelines"
         run: updatecli compose apply --clean-git-branches=true --existing-only=true --experimental
         env:

.github/zizmor.yaml

@@ -0,0 +1,10 @@
+rules:
+  secrets-outside-env:
+    config:
+      allow:
+        - UPDATECLIBOT_APP_ID
+        - UPDATECLIBOT_APP_PRIVKEY
+        - UPDATECLIBOT_APP_INSTALLATION_ID
+        - UPDATECLI_UDASH_API_URL
+        - UPDATECLI_UDASH_ACCESS_TOKEN
+        - UPDATECLI_UDASH_URL