Applied auto-fixes from zizmor findings.

author: Jacob Walls <jacobtylerwalls@gmail.com> 2025-11-14 13:39:01 -0500
committer: Jacob Walls <jacobtylerwalls@gmail.com> 2025-11-21 14:36:19 -0500
commit: e8958c4690faef27b6715524ecb5c49c3ecb6a09 (patch)
tree: a811d3c89d5a5069dbecc5d70c3fb4d007d07f27 /.github
parent: 09d4bf5cd9c95c588d3ec22edea5db1f5f146900 (diff)
11 files changed, 55 insertions, 3 deletions
diff --git a/.github/workflows/benchmark.yml b/.github/workflows/benchmark.yml
index 4c35cd7ae0..1e56313807 100644
--- a/.github/workflows/benchmark.yml
+++ b/.github/workflows/benchmark.yml
@@ -17,6 +17,7 @@ jobs:
         with:
           repository: django/django-asv
           path: "."
+          persist-credentials: false
       - name: Setup Miniforge
         uses: conda-incubator/setup-miniconda@v3
         with:
diff --git a/.github/workflows/check_commit_messages.yml b/.github/workflows/check_commit_messages.yml
index 1a6d6d1958..e8a7059b0d 100644
--- a/.github/workflows/check_commit_messages.yml
+++ b/.github/workflows/check_commit_messages.yml
@@ -14,11 +14,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: Calculate commit prefix
         id: vars
+        env:
+          GITHUB_EVENT_PULL_REQUEST_BASE_REF: ${{ github.event.pull_request.base.ref }}
         run: |
-          BASE="${{ github.event.pull_request.base.ref }}"
+          BASE="${GITHUB_EVENT_PULL_REQUEST_BASE_REF}"
           echo "BASE=$BASE" >> $GITHUB_ENV
           VERSION="${BASE#stable/}"
           echo "prefix=[$VERSION]" >> $GITHUB_OUTPUT
@@ -26,8 +30,9 @@ jobs:
       - name: Check PR title prefix
         env:
           TITLE: ${{ github.event.pull_request.title }}
+          STEPS_VARS_OUTPUTS_PREFIX: ${{ steps.vars.outputs.prefix }}
         run: |
-          PREFIX="${{ steps.vars.outputs.prefix }}"
+          PREFIX="${STEPS_VARS_OUTPUTS_PREFIX}"
           if [[ "$TITLE" != "$PREFIX"* ]]; then
             echo "❌ PR title must start with the required prefix: $PREFIX"
             exit 1
@@ -40,8 +45,10 @@ jobs:
           git fetch origin pull/${{ github.event.pull_request.number }}/head:pr
 
       - name: Check commit messages prefix
+        env:
+          STEPS_VARS_OUTPUTS_PREFIX: ${{ steps.vars.outputs.prefix }}
         run: |
-          PREFIX="${{ steps.vars.outputs.prefix }}"
+          PREFIX="${STEPS_VARS_OUTPUTS_PREFIX}"
           COMMITS=$(git rev-list base..pr)
           echo "Checking commit messages for required prefix: $PREFIX"
           FAIL=0
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 6e4a9cdd1b..4100c9ea21 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -26,6 +26,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -44,6 +46,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -65,6 +69,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/labels.yml b/.github/workflows/labels.yml
index 91579d82c2..6986eec033 100644
--- a/.github/workflows/labels.yml
+++ b/.github/workflows/labels.yml
@@ -19,6 +19,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
+        with:
+          persist-credentials: false
 
       - name: "Check title and manage labels"
         uses: actions/github-script@v8
diff --git a/.github/workflows/linters.yml b/.github/workflows/linters.yml
index de73eadf5d..7b58bacacf 100644
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -41,6 +43,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -58,6 +62,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: black
         uses: psf/black@stable
 
@@ -66,6 +72,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Run zizmor
         uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0
         with:
diff --git a/.github/workflows/postgis.yml b/.github/workflows/postgis.yml
index e20735233b..4ea462ee44 100644
--- a/.github/workflows/postgis.yml
+++ b/.github/workflows/postgis.yml
@@ -39,6 +39,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/python_matrix.yml b/.github/workflows/python_matrix.yml
index bbdb4458b4..b3b2866511 100644
--- a/.github/workflows/python_matrix.yml
+++ b/.github/workflows/python_matrix.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - id: set-matrix
         run: |
           python_versions=$(sed -n "s/^.*Programming Language :: Python :: \([[:digit:]]\+\.[[:digit:]]\+\).*$/'\1', /p" pyproject.toml | tr -d '\n' | sed 's/, $//g')
@@ -37,6 +39,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/schedule_tests.yml b/.github/workflows/schedule_tests.yml
index e2d3e55590..5679fbd77d 100644
--- a/.github/workflows/schedule_tests.yml
+++ b/.github/workflows/schedule_tests.yml
@@ -25,6 +25,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -43,6 +45,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -69,6 +73,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
@@ -84,6 +90,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -120,6 +128,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -165,6 +175,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/screenshots.yml b/.github/workflows/screenshots.yml
index 1a835fe1a6..82d9901371 100644
--- a/.github/workflows/screenshots.yml
+++ b/.github/workflows/screenshots.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/selenium.yml b/.github/workflows/selenium.yml
index d62268658f..a07eb692a1 100644
--- a/.github/workflows/selenium.yml
+++ b/.github/workflows/selenium.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -58,6 +60,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
index 9428a9de0c..c6321b1415 100644
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -28,6 +28,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v6
         with:
@@ -46,6 +48,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v5
+        with:
+          persist-credentials: false
       - name: Set up Node.js
         uses: actions/setup-node@v5
         with:
author	Jacob Walls <jacobtylerwalls@gmail.com>	2025-11-14 13:39:01 -0500
committer	Jacob Walls <jacobtylerwalls@gmail.com>	2025-11-21 14:36:19 -0500
commit	e8958c4690faef27b6715524ecb5c49c3ecb6a09 (patch)
tree	a811d3c89d5a5069dbecc5d70c3fb4d007d07f27 /.github
parent	09d4bf5cd9c95c588d3ec22edea5db1f5f146900 (diff)