Merge pull request #9785 from jepler/zizmor

Fix various issues detected by zizmor

.github/workflows/build-board-custom.yml

@@ -42,21 +42,29 @@ jobs:
       run: |
         git clone --filter=tree:0 https://github.com/adafruit/circuitpython.git $GITHUB_WORKSPACE
     - name: Checkout head / tag
+      env:
+        TAG: ${{ inputs.version == 'latest' && 'HEAD' || inputs.version }}
       run: |
-        git checkout ${{ inputs.version == 'latest' && 'HEAD' || inputs.version }}
+        git checkout "$TAG"
     - name: fork compatibility
       if: github.repository_owner != 'adafruit'
+      env:
+        REPO: ${{ github.repository }}
       run: |
-        git remote add fork https://github.com/${{github.repository}}.git
+        git remote add fork "https://github.com/$REPO.git"
         git fetch fork --filter=tree:0
     - name: branch compatibility
       if: inputs.branch != 'main' && inputs.version == 'latest' && github.repository_owner == 'adafruit'
+      env:
+        BRANCH: ${{ inputs.branch }}
       run: |
-        git checkout ${{inputs.branch}}
+        git checkout "$BRANCH"
     - name: branch compatibility (fork)
       if: inputs.branch != '' && inputs.version == 'latest' && github.repository_owner != 'adafruit'
+      env:
+        BRANCH: ${{ inputs.branch }}
       run: |
-        git checkout -b fork-branch fork/${{inputs.branch}}
+        git checkout -b fork-branch "fork/$BRANCH"
     - name: Set up identifier
       if: inputs.debug || inputs.flags != ''
       run: |
@@ -101,7 +109,12 @@ jobs:
         riscv64-unknown-elf-gcc --version || true
         mkfs.fat --version || true
     - name: Build board
-      run: make -j4 ${{ inputs.flags }} BOARD=${{ inputs.board }} DEBUG=${{ inputs.debug && '1' || '0' }} TRANSLATION=${{ inputs.language }}
+      env:
+        TRANSLATION: ${{ inputs.language }}
+        BOARD: ${{ inputs.board }}
+        FLAGS: ${{ inputs.flags }}
+        DEBUG: ${{ inputs.debug && '1' || '0' }}
+      run: make -j4 $FLAGS BOARD="$BOARD" DEBUG=$DEBUG TRANSLATION="$TRANSLATION"
       working-directory: ports/${{ steps.set-up-port.outputs.port }}
     - name: Upload artifact
       uses: actions/upload-artifact@v4

.github/workflows/build-boards.yml

@@ -31,6 +31,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
 
     - name: Set up python
       uses: actions/setup-python@v5

.github/workflows/build-mpy-cross.yml

@@ -33,6 +33,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
     - name: Set up python
       uses: actions/setup-python@v5
       with:
@@ -57,9 +58,12 @@ jobs:
       run: make -C mpy-cross -j4 -f Makefile.${{ matrix.mpy-cross }}
 
     - name: Set output
+      env:
+        EX: ${{ env[format('EX_{0}', matrix.mpy-cross)] || matrix.mpy-cross }}
+        OS: ${{ env[format('OS_{0}', matrix.mpy-cross)] }}"
       run: |
-        echo >> $GITHUB_ENV "EX=${{ env[format('EX_{0}', matrix.mpy-cross)] || matrix.mpy-cross }}"
-        echo >> $GITHUB_ENV "OS=${{ env[format('OS_{0}', matrix.mpy-cross)] }}"
+        echo >> $GITHUB_ENV "EX=$EX"
+        echo >> $GITHUB_ENV "OS=$OS"
 
     - name: Upload artifact
       uses: actions/upload-artifact@v4

.github/workflows/build.yml

@@ -33,6 +33,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
     - name: Set up python
       uses: actions/setup-python@v5
       with:
@@ -66,15 +67,19 @@ jobs:
         EXCLUDE_COMMIT: ${{ github.event.pull_request.head.sha }}
     - name: Set head sha (pull)
       if: github.event_name == 'pull_request'
-      run: echo "HEAD_SHA=${{ github.event.pull_request.head.sha }}" >> $GITHUB_ENV
+      env:
+        HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      run: echo "HEAD_SHA=$HEAD_SHA" >> $GITHUB_ENV
     - name: Set base sha (pull)
       if: github.event_name == 'pull_request'
       run: git cat-file -e $SHA && echo "BASE_SHA=$SHA" >> $GITHUB_ENV || true
       env:
         SHA: ${{ steps.get-last-commit-with-checks.outputs.commit_sha || github.event.pull_request.base.sha }}
     - name: Set head sha (push)
       if: github.event_name == 'push'
-      run: echo "HEAD_SHA=${{ github.event.after }}" >> $GITHUB_ENV
+      env:
+        SHA: ${{ github.event.after }}
+      run: echo "HEAD_SHA=$SHA" >> $GITHUB_ENV
     - name: Set base sha (push)
       if: github.event_name == 'push'
       run: git cat-file -e $SHA && echo "BASE_SHA=$SHA" >> $GITHUB_ENV || true
@@ -114,6 +119,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
     - name: Set up python
       uses: actions/setup-python@v5
       with:
@@ -149,9 +155,9 @@ jobs:
           (github.event_name == 'push' && github.ref == 'refs/heads/main' && github.repository_owner == 'adafruit') ||
           (github.event_name == 'release' && (github.event.action == 'published' || github.event.action == 'rerequested'))
       run: |
-        [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross-macos-universal s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-${{ env.CP_VERSION }}-universal --no-progress --region us-east-1
-        [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build-arm64/mpy-cross-arm64 s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-${{ env.CP_VERSION }}-arm64 --no-progress --region us-east-1
-        [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build/mpy-cross s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-${{ env.CP_VERSION }}-x64 --no-progress --region us-east-1
+        [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross-macos-universal s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-"${CP_VERSION}"-universal --no-progress --region us-east-1
+        [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build-arm64/mpy-cross-arm64 s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-"${CP_VERSION}"-arm64 --no-progress --region us-east-1
+        [ -z "$AWS_ACCESS_KEY_ID" ] || aws s3 cp mpy-cross/build/mpy-cross s3://adafruit-circuit-python/bin/mpy-cross/macos/mpy-cross-macos-"${CP_VERSION}"-x64 --no-progress --region us-east-1
       env:
         AWS_PAGER: ''
         AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
@@ -170,6 +176,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
     - name: Set up python
       uses: actions/setup-python@v5
       with:
@@ -188,7 +195,7 @@ jobs:
         name: stubs
         path: circuitpython-stubs/dist/*
     - name: Test Documentation Build (HTML)
-      run: sphinx-build -E -W -b html -D version=${{ env.CP_VERSION }} -D release=${{ env.CP_VERSION }} . _build/html
+      run: sphinx-build -E -W -b html -D version="$CP_VERSION" -D release="$CP_VERSION" . _build/html
     - uses: actions/upload-artifact@v4
       with:
         name: docs-html
@@ -271,6 +278,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
     - name: Set up submodules
       uses: ./.github/actions/deps/submodules
     - name: build mpy-cross

.github/workflows/create-website-pr.yml

@@ -22,6 +22,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
     - name: Set up python
       uses: actions/setup-python@v5
       with:

.github/workflows/pre-commit.yml

@@ -22,6 +22,7 @@ jobs:
         submodules: false
         show-progress: false
         fetch-depth: 1
+        persist-credentials: false
     - name: Set up python
       uses: actions/setup-python@v5
       with: