[6.0.x] Applied auto-fixes from zizmor findings.

Backport of e8958c4690faef27b6715524ecb5c49c3ecb6a09 from main.
author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-11-14 13:39:01 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-11-21 14:37:24 -0500
commit: e22a9332e3e277e565783ef977c08804a56de241 (patch)
tree: 243c9f423f43fdebe6e694e0846ae8eb12c93957 /.github
parent: abb9aab00e287b79fe6894ef66227f11d28924e0 (diff)
11 files changed, 55 insertions, 3 deletions
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 4c35cd7ae0..1e56313807 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -17,6 +17,7 @@ jobs:
         with:
           repository: django/django-asv
           path: "."
+          persist-credentials: false
       - name: Setup Miniforge
         uses: conda-incubator/setup-miniconda@v3
         with:
diff --git a/.github/workflows/check_commit_messages.yml b/.github/workflows/check_commit_messages.yml
index 1a6d6d1958..e8a7059b0d 100644
--- a/.github/workflows/check_commit_messages.yml
+++ b/.github/workflows/check_commit_messages.yml
@@ -14,11 +14,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Calculate commit prefix
         id: vars
+        env:
+          GITHUB_EVENT_PULL_REQUEST_BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          BASE="${{ github.event.pull_request.base.ref }}"
+          BASE="${GITHUB_EVENT_PULL_REQUEST_BASE_REF}"
           echo "BASE=$BASE" >> $GITHUB_ENV
           VERSION="${BASE#stable/}"
           echo "prefix=[$VERSION]" >> $GITHUB_OUTPUT
@@ -26,8 +30,9 @@ jobs:
       - name: Check PR title prefix
         env:
           TITLE: ${{ github.event.pull_request.title }}
+          STEPS_VARS_OUTPUTS_PREFIX: ${{ steps.vars.outputs.prefix }}
         run: |
-          PREFIX="${{ steps.vars.outputs.prefix }}"
+          PREFIX="${STEPS_VARS_OUTPUTS_PREFIX}"
           if [[ "$TITLE" != "$PREFIX"* ]]; then
             echo "❌ PR title must start with the required prefix: $PREFIX"
             exit 1
@@ -40,8 +45,10 @@ jobs:
           git fetch origin pull/${{ github.event.pull_request.number }}/head:pr
 
       - name: Check commit messages prefix
+        env:
+          STEPS_VARS_OUTPUTS_PREFIX: ${{ steps.vars.outputs.prefix }}
         run: |
-          PREFIX="${{ steps.vars.outputs.prefix }}"
+          PREFIX="${STEPS_VARS_OUTPUTS_PREFIX}"
           COMMITS=$(git rev-list base..pr)
           echo "Checking commit messages for required prefix: $PREFIX"
           FAIL=0
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 6e4a9cdd1b..4100c9ea21 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -26,6 +26,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -44,6 +46,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -65,6 +69,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 91579d82c2..6986eec033 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: "Check title and manage labels"
         uses: actions/github-script@v8
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index de73eadf5d..7b58bacacf 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -41,6 +43,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -58,6 +62,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: black
         uses: psf/black@stable
 
@@ -66,6 +72,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
         with:
diff --git a/.github/workflows/postgis.yml b/.github/workflows/postgis.yml
index 42e9b83320..772f12fafe 100644
--- a/.github/workflows/postgis.yml
+++ b/.github/workflows/postgis.yml
@@ -39,6 +39,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/python_matrix.yml b/.github/workflows/python_matrix.yml
index 072bf1cdbc..00fcc89f71 100644
--- a/.github/workflows/python_matrix.yml
+++ b/.github/workflows/python_matrix.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - id: set-matrix
         run: |
           python_versions=$(sed -n "s/^.*Programming Language :: Python :: \([[:digit:]]\+\.[[:digit:]]\+\).*$/'\1', /p" pyproject.toml | tr -d '\n' | sed 's/, $//g')
@@ -37,6 +39,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/schedule_tests.yml b/.github/workflows/schedule_tests.yml
index b74ca0474c..85a2e4ccdf 100644
--- a/.github/workflows/schedule_tests.yml
+++ b/.github/workflows/schedule_tests.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -42,6 +44,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -68,6 +72,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
@@ -83,6 +89,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -119,6 +127,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -164,6 +174,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/screenshots.yml b/.github/workflows/screenshots.yml
index b61ab73486..6014f9dec9 100644
--- a/.github/workflows/screenshots.yml
+++ b/.github/workflows/screenshots.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/selenium.yml b/.github/workflows/selenium.yml
index 30026f22dd..9691569361 100644
--- a/.github/workflows/selenium.yml
+++ b/.github/workflows/selenium.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -58,6 +60,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index f46ec6dd2e..4114f60f5a 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -46,6 +48,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-11-14 13:39:01 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-11-21 14:37:24 -0500
commit	e22a9332e3e277e565783ef977c08804a56de241 (patch)
tree	243c9f423f43fdebe6e694e0846ae8eb12c93957 /.github
parent	abb9aab00e287b79fe6894ef66227f11d28924e0 (diff)