ci: harden github actions according to "zizmor" recommendations (#13062) (#13067)

Fix all issues reported by zizmor 0.9.2 running locally.

See: https://woodruffw.github.io/zizmor/
(cherry picked from commit ee8f98d)

Co-authored-by: Ran Benita <[email protected]>

Author: patchback[bot]

.github/workflows/deploy.yml

@@ -46,6 +46,8 @@ jobs:
       contents: write
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: true
 
     - name: Download Package
       uses: actions/download-artifact@v4
@@ -59,11 +61,13 @@ jobs:
         attestations: true
 
     - name: Push tag
+      env:
+          VERSION: ${{ github.event.inputs.version }}
       run: |
         git config user.name "pytest bot"
         git config user.email "[email protected]"
-        git tag --annotate --message=v${{ github.event.inputs.version }} ${{ github.event.inputs.version }} ${{ github.sha }}
-        git push origin ${{ github.event.inputs.version }}
+        git tag --annotate --message=v"$VERSION" "$VERSION" ${{ github.sha }}
+        git push origin "$VERSION"
 
   release-notes:
 
@@ -98,9 +102,11 @@ jobs:
         pip install --upgrade tox
 
     - name: Generate release notes
+      env:
+        VERSION: ${{ github.event.inputs.version }}
       run: |
         sudo apt-get install pandoc
-        tox -e generate-gh-release-notes -- ${{ github.event.inputs.version }} scripts/latest-release-notes.md
+        tox -e generate-gh-release-notes -- "$VERSION" scripts/latest-release-notes.md
 
     - name: Publish GitHub Release
       uses: softprops/action-gh-release@v2

.github/workflows/prepare-release-pr.yml

@@ -30,6 +30,7 @@ jobs:
     - uses: actions/checkout@v4
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
       uses: actions/setup-python@v5
@@ -43,10 +44,16 @@ jobs:
 
     - name: Prepare release PR (minor/patch release)
       if: github.event.inputs.major == 'no'
+      env:
+        BRANCH: ${{ github.event.inputs.branch }}
+        PRERELEASE: ${{ github.event.inputs.prerelease }}
       run: |
-        tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --prerelease='${{ github.event.inputs.prerelease }}'
+        tox -e prepare-release-pr -- "$BRANCH" ${{ github.token }} --prerelease="$PRERELEASE"
 
     - name: Prepare release PR (major release)
       if: github.event.inputs.major == 'yes'
+      env:
+        BRANCH: ${{ github.event.inputs.branch }}
+        PRERELEASE: ${{ github.event.inputs.prerelease }}
       run: |
-        tox -e prepare-release-pr -- ${{ github.event.inputs.branch }} ${{ github.token }} --major --prerelease='${{ github.event.inputs.prerelease }}'
+        tox -e prepare-release-pr -- "$BRANCH" ${{ github.token }} --major --prerelease="$PRERELEASE"

.github/workflows/update-plugin-list.yml

@@ -23,12 +23,14 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Setup Python
         uses: actions/setup-python@v5
         with:
           python-version: "3.11"
           cache: pip
+
       - name: requests-cache
         uses: actions/cache@v4
         with:
@@ -41,7 +43,6 @@ jobs:
           python -m pip install --upgrade pip
           pip install packaging requests tabulate[widechars] tqdm requests-cache platformdirs
 
-
       - name: Update Plugin List
         run: python scripts/update-plugin-list.py
 
@@ -61,8 +62,9 @@ jobs:
       - name: Instruct the maintainers to trigger CI by undrafting the PR
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          PULL_REQUEST_NUMBER: ${{ steps.pr.outputs.pull-request-number }}
         run: >-
           gh pr comment
           --body 'Please mark the PR as ready for review to trigger PR checks.'
           --repo '${{ github.repository }}'
-          '${{ steps.pr.outputs.pull-request-number }}'
+          "$PULL_REQUEST_NUMBER"