CI: make newer zizmor happy

* set strict default permissions everywhere * sanitize inputs.systems by passing through an env var
msys2 · Jan 19, 2025 · 2649566 · 2649566
1 parent ea8491e
commit 2649566
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 1 deletion.
diff --git a/.github/workflows/PKGBUILD.yml b/.github/workflows/PKGBUILD.yml
@@ -20,6 +20,9 @@ on:
         required: true
         type: string
 
+permissions:
+  contents: read
+
 jobs:
 
 

diff --git a/.github/workflows/Test.yml b/.github/workflows/Test.yml
@@ -6,6 +6,9 @@ on:
   schedule:
     - cron: '0 0 * * 3,6'
 
+permissions:
+  contents: read
+
 jobs:
 
 

diff --git a/.github/workflows/Tool.yml b/.github/workflows/Tool.yml
@@ -7,6 +7,9 @@ on:
     - cron: '0 0 * * 3'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
 
   matrix:

diff --git a/matrix/action.yml b/matrix/action.yml
@@ -17,6 +17,8 @@ runs:
     - name: Generate list of jobs
       shell: python
       id: jobs
+      env:
+        INPUT_SYSTEMS: ${{ inputs.systems }}
       run: |
         import os
         icons = {
@@ -28,7 +30,7 @@ runs:
         }
         jobs = [
             {'sys': sys.lower(), 'icon': icons[sys.lower()]}
-            for sys in '${{ inputs.systems }}'.split(' ')
+            for sys in os.environ['INPUT_SYSTEMS'].split(' ')
         ]
         with open(os.environ['GITHUB_OUTPUT'], 'a', encoding='utf-8') as h:
           h.write(f"jobs={jobs!s}\n")