ci: safe ci using zizmor check (GreptimeTeam#5491)

* ci: safe ci using zizmor check Signed-off-by: yihong0618 <[email protected]> * fix: lines empty Signed-off-by: yihong0618 <[email protected]> * fix: delete useless code Signed-off-by: yihong0618 <[email protected]> --------- Signed-off-by: yihong0618 <[email protected]>
lyang24 · Feb 11, 2025 · 342883e · 342883e
1 parent 5be81ab
commit 342883e
Show file tree

Hide file tree

Showing 12 changed files with 169 additions and 41 deletions.
diff --git a/.github/workflows/apidoc.yml b/.github/workflows/apidoc.yml
@@ -17,6 +17,8 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - uses: arduino/setup-protoc@v3
       with:
         repo-token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/dependency-check.yml b/.github/workflows/dependency-check.yml
@@ -12,6 +12,8 @@ jobs:
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: Set up Rust
       uses: actions-rust-lang/setup-rust-toolchain@v1

diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-build.yml
@@ -82,9 +82,6 @@ env:
   # The source code will check out in the following path: '${WORKING_DIR}/dev/greptime'.
   CHECKOUT_GREPTIMEDB_PATH: dev/greptimedb
 
-permissions:
-  issues: write
-
 jobs:
   allocate-runners:
     name: Allocate runners
@@ -107,6 +104,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Create version
         id: create-version
@@ -161,13 +159,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Checkout greptimedb
         uses: actions/checkout@v4
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.commit }}
           path: ${{ env.CHECKOUT_GREPTIMEDB_PATH }}
+          persist-credentials: true
 
       - uses: ./.github/actions/build-linux-artifacts
         with:
@@ -192,13 +192,15 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Checkout greptimedb
         uses: actions/checkout@v4
         with:
           repository: ${{ inputs.repository }}
           ref: ${{ inputs.commit }}
           path: ${{ env.CHECKOUT_GREPTIMEDB_PATH }}
+          persist-credentials: true
 
       - uses: ./.github/actions/build-linux-artifacts
         with:
@@ -226,6 +228,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Build and push images to dockerhub
         uses: ./.github/actions/build-images
@@ -257,6 +260,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Release artifacts to CN region
         uses: ./.github/actions/release-cn-artifacts
@@ -291,6 +295,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Stop EC2 runner
         uses: ./.github/actions/stop-runner
@@ -316,6 +321,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Stop EC2 runner
         uses: ./.github/actions/stop-runner
@@ -334,10 +340,16 @@ jobs:
       release-images-to-dockerhub
     ]
     runs-on: ubuntu-20.04
+    permissions:
+      issues: write
+
     env:
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DEVELOP_CHANNEL }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          persist-credentials: false
       - uses: ./.github/actions/setup-cyborg
       - name: Report CI status
         id: report-ci-status

diff --git a/.github/workflows/develop.yml b/.github/workflows/develop.yml
@@ -26,6 +26,8 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: crate-ci/typos@master
       - name: Check the config docs
         run: |
@@ -38,6 +40,8 @@ jobs:
     name: Check License Header
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: korandoru/hawkeye@v5
 
   check:
@@ -49,6 +53,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -70,6 +76,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions-rust-lang/setup-rust-toolchain@v1
       - name: Install taplo
         run: cargo +stable install taplo-cli --version ^0.9 --locked --force
@@ -85,6 +93,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -139,6 +149,8 @@ jobs:
           echo "Disk space after:"
           df -h
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -192,6 +204,8 @@ jobs:
           echo "Disk space after:"
           df -h
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -238,6 +252,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -295,6 +311,8 @@ jobs:
           echo "Disk space after:"
           df -h
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Kind
         uses: ./.github/actions/setup-kind
       - if: matrix.mode.minio
@@ -437,6 +455,8 @@ jobs:
           echo "Disk space after:"
           df -h
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Kind
         uses: ./.github/actions/setup-kind
       - name: Setup Chaos Mesh
@@ -562,6 +582,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - if: matrix.mode.kafka
         name: Setup kafka server
         working-directory: tests-integration/fixtures
@@ -589,6 +611,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -604,6 +628,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -626,6 +652,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Merge Conflict Finder
         uses: olivernybroe/[email protected]
 
@@ -636,6 +664,8 @@ jobs:
     needs:  [conflict-check, clippy, fmt]
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
@@ -684,6 +714,8 @@ jobs:
     timeout-minutes: 60
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: arduino/setup-protoc@v3
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}

diff --git a/.github/workflows/docbot.yml b/.github/workflows/docbot.yml
@@ -1,18 +1,19 @@
 name: Follow Up Docs
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, edited]
 
-permissions:
-  pull-requests: write
-  contents: read
-
 jobs:
   docbot:
     runs-on: ubuntu-20.04
+    permissions:
+      pull-requests: write
+      contents: read
     timeout-minutes: 10
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup-cyborg
       - name: Maybe Follow Up Docs Issue
         working-directory: cyborg

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -34,13 +34,17 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: crate-ci/typos@master
 
   license-header-check:
     runs-on: ubuntu-20.04
     name: Check License Header
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: korandoru/hawkeye@v5
 
   check:

diff --git a/.github/workflows/nightly-build.yml b/.github/workflows/nightly-build.yml
@@ -70,9 +70,6 @@ env:
   # The DockerHub image will be greptime/greptimedb-nightly.
   IMAGE_NAME: greptimedb-nightly
 
-permissions:
-  issues: write
-
 jobs:
   allocate-runners:
     name: Allocate runners
@@ -95,6 +92,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Create version
         id: create-version
@@ -147,6 +145,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: ./.github/actions/build-linux-artifacts
         with:
@@ -168,6 +167,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: ./.github/actions/build-linux-artifacts
         with:
@@ -193,6 +193,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Build and push images to dockerhub
         uses: ./.github/actions/build-images
@@ -226,6 +227,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Release artifacts to CN region
         uses: ./.github/actions/release-cn-artifacts
@@ -260,6 +262,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Stop EC2 runner
         uses: ./.github/actions/stop-runner
@@ -285,6 +288,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Stop EC2 runner
         uses: ./.github/actions/stop-runner
@@ -303,10 +307,14 @@ jobs:
       release-images-to-dockerhub
     ]
     runs-on: ubuntu-20.04
+    permissions:
+      issues: write
     env:
       SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL_DEVELOP_CHANNEL }}
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: ./.github/actions/setup-cyborg
       - name: Report CI status
         id: report-ci-status