[DT-1122] Apply zizmor suggestions (#1733)

DataBiosphere · Jan 15, 2025 · 7cbc06e · 7cbc06e
1 parent 6b8602e
commit 7cbc06e
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 7 deletions.
diff --git a/.github/workflows/dev-image-update.yaml b/.github/workflows/dev-image-update.yaml
@@ -13,7 +13,7 @@ on:
       - 'Dockerfile'
       - '.github/workflows/dev-image-update.yaml'
 env:
-  gcr_google_project: 'broad-jade-dev'
+  GCR_GOOGLE_PROJECT: 'broad-jade-dev'
   google_sdk_version: '290.0.1'
   DEV_PROJECT: broad-jade-dev
   # This must be defined for the bash redirection
@@ -69,21 +69,23 @@ jobs:
           DISABLE_ESLINT_PLUGIN: true
         run: |
           rm -rf jade-dev-account.pem
-          docker build -t gcr.io/${{ env.gcr_google_project }}/jade-data-repo-ui:${GCR_TAG} --build-arg CACHEBUST=$(date +%s) .
+          docker build -t "gcr.io/${GCR_GOOGLE_PROJECT}/jade-data-repo-ui:${GCR_TAG}" --build-arg CACHEBUST=$(date +%s) .
       # Push the Docker image to Google Container Registry
       - name: Publish and tag new docker container to GCR
         run: |
           gcloud auth activate-service-account --key-file jade-dev-account.json
           gcloud auth configure-docker --quiet
-          docker push gcr.io/${{ env.gcr_google_project }}/jade-data-repo-ui:${GCR_TAG}
+          docker push "gcr.io/${GCR_GOOGLE_PROJECT}/jade-data-repo-ui:${GCR_TAG}"
           gcloud container images \
             add-tag \
-            gcr.io/${{ env.gcr_google_project }}/jade-data-repo-ui:"${GCR_TAG}" \
-            gcr.io/${{ env.gcr_google_project }}/jade-data-repo-ui:"${{ steps.uiprevioustag.outputs.tag }}" --quiet
+            "gcr.io/${GCR_GOOGLE_PROJECT}/jade-data-repo-ui:${GCR_TAG}" \
+            "gcr.io/${GCR_GOOGLE_PROJECT}/jade-data-repo-ui:${PREV_TAG}" --quiet
           gcloud container images \
             add-tag \
-            gcr.io/${{ env.gcr_google_project }}/jade-data-repo-ui:"${GCR_TAG}" \
-            gcr.io/${{ env.gcr_google_project }}/jade-data-repo-ui:"${GCR_TAG}-develop" --quiet
+            "gcr.io/${GCR_GOOGLE_PROJECT}/jade-data-repo-ui:${GCR_TAG}" \
+            "gcr.io/${GCR_GOOGLE_PROJECT}/jade-data-repo-ui:${GCR_TAG}-develop" --quiet
+        env:
+          PREV_TAG: ${{ steps.uiprevioustag.outputs.tag }}
   helm_tag_bump:
     needs: update_image
     uses: ./.github/workflows/helmtagbump.yaml

diff --git a/.github/workflows/helmtagbump.yaml b/.github/workflows/helmtagbump.yaml
@@ -12,6 +12,7 @@ jobs:
         with:
           fetch-depth: 0
           ref: develop
+          persist-credentials: false
       - name: 'Get Previous tag'
         id: uiprevioustag
         run: |

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -14,6 +14,8 @@ jobs:
     steps:
       - name: Check out the repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:

diff --git a/.github/workflows/test-e2e.yml b/.github/workflows/test-e2e.yml
@@ -25,6 +25,8 @@ jobs:
     steps:
       - name: Check out the repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:

diff --git a/.github/workflows/test-unit.yml b/.github/workflows/test-unit.yml
@@ -18,6 +18,8 @@ jobs:
     steps:
       - name: Check out the repository
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
         uses: actions/setup-node@v3
         with:

diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -8,4 +8,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - uses: broadinstitute/dsp-appsec-trivy-action@v1