chore(ci): address pedantic zizmor findings (#943)

2025-12-23 08:47:33 +00:00 · 2025-06-13 20:36:09 -04:00 · 2025-06-13 20:36:09 -04:00 · d9fc0e1a23
commit d9fc0e1a23
parent c6f0e29d4d
10 changed files with 22 additions and 4 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -10,6 +10,7 @@ permissions: {}

 jobs:
  lint:
+    name: Lint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -25,6 +26,7 @@ jobs:
        run: cargo clippy -- --deny warnings

  test:
+    name: Test
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -51,6 +53,7 @@ jobs:
        git diff --exit-code

  test-site:
+    name: Test site build
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@ -63,6 +66,7 @@ jobs:
        run: make site

  all-tests-pass:
+    name: All tests pass
    if: always()
    needs: [lint, test, test-site]
    runs-on: ubuntu-latest
--- a/.github/workflows/release-docker.yml
+++ b/.github/workflows/release-docker.yml
@ -78,9 +78,9 @@ jobs:

      - name: Export digest
        run: |
-          mkdir -p ${{ runner.temp }}/digests
+          mkdir -p "${RUNNER_TEMP}/digests"
          digest="${DIGEST}"
-          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+          touch "${RUNNER_TEMP}/digests/${digest#sha256:}"
        env:
          DIGEST: ${{ steps.build.outputs.digest }}

@ -93,6 +93,7 @@ jobs:
          retention-days: 1

  merge:
+    name: Merge image builds
    needs: build
    runs-on: ubuntu-latest

@ -149,7 +150,7 @@ jobs:
          docker buildx imagetools create \
            "${annotations[@]}" \
            $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.ZIZMOR_IMAGE }}@sha256:%s ' *)
+            $(printf "${ZIZMOR_IMAGE}@sha256:%s " *)

      - name: Inspect image
        run: |
--- a/.github/workflows/release-pypi.yml
+++ b/.github/workflows/release-pypi.yml
@ -13,6 +13,7 @@ permissions:

 jobs:
  linux:
+    name: Build Linux wheels (manylinux)
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
@ -52,6 +53,7 @@ jobs:
          path: dist

  musllinux:
+    name: Build Linux wheels (musllinux)
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
@ -81,6 +83,7 @@ jobs:
          path: dist

  windows:
+    name: Build Windows wheels
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
@ -105,6 +108,7 @@ jobs:
          path: dist

  macos:
+    name: Build macOS wheels
    runs-on: ${{ matrix.platform.runner }}
    strategy:
      matrix:
@ -129,6 +133,7 @@ jobs:
          path: dist

  sdist:
+    name: Build source distribution
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/release-support-crate.yml
+++ b/.github/workflows/release-support-crate.yml
@ -17,6 +17,7 @@ permissions: {}

 jobs:
  crates:
+    name: Publish support crate to crates.io 📦
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/release-zizmor-crate.yml
+++ b/.github/workflows/release-zizmor-crate.yml
@ -9,6 +9,7 @@ permissions: {}

 jobs:
  crates:
+    name: Publish zizmor to crates.io 📦
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
--- a/.github/workflows/site.yml
+++ b/.github/workflows/site.yml
@ -1,4 +1,4 @@
-name: Deploy zizmor site 🌐
+name: Deploy zizmor documentation site 🌐

 on:
  push:
@ -15,6 +15,7 @@ permissions: {}

 jobs:
  deploy:
+    name: Deploy zizmor documentation to GitHub Pages 🌐
    permissions:
      contents: read
      pages: write
--- a/.github/workflows/test-output.yml
+++ b/.github/workflows/test-output.yml
@ -12,6 +12,7 @@ permissions: {}

 jobs:
  test-sarif-presentation:
+    name: Test SARIF presentation
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'test-sarif-presentation')
    permissions:
@ -48,6 +49,7 @@ jobs:
            })

  test-github-presentation:
+    name: Test GitHub annotations presentation
    runs-on: ubuntu-latest
    if: contains(github.event.pull_request.labels.*.name, 'test-github-presentation')
    permissions: {}
--- a/.github/workflows/wolfi-update-check.yml
+++ b/.github/workflows/wolfi-update-check.yml
@ -9,6 +9,7 @@ permissions: {}

 jobs:
  check-for-new-version:
+    name: Check for new zizmor version in Wolfi OS
    runs-on: ubuntu-latest
    # this job does not make sense on forks
    if: ${{ github.repository_owner == 'zizmorcore' }}
--- a/.github/workflows/zizmor.yml
+++ b/.github/workflows/zizmor.yml
@ -10,6 +10,7 @@ permissions: {}

 jobs:
  zizmor:
+    name: Run zizmor 🌈
    runs-on: ubuntu-latest
    permissions:
      security-events: write