Clean up workflow files from Zizmor output (#113)

mandreko-bitwarden · web-flow · commit 76a7b06aa81e · 2025-10-09T14:28:21.000-04:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -109,24 +109,26 @@ jobs:
           DIGEST: ${{ steps.build-docker.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
         run: |
-          IFS="," read -a tags <<< "${TAGS}"
-          images=""
-          for tag in "${tags[@]}"; do
-            images+="${tag}@${DIGEST} "
+          IFS=',' read -r -a tags_array <<< "${TAGS}"
+          images=()
+          for tag in "${tags_array[@]}"; do
+            images+=("${tag}@${DIGEST}")
           done
-          cosign sign --yes ${images}
-          echo "images=${images}" >> "$GITHUB_OUTPUT"
+          cosign sign --yes "${images[@]}"
+          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
 
       - name: Verify the signed image with Cosign
         if: ${{ env._PUSH_IMAGE == 'true' }}
         env:
           GITHUB_SERVER_URL: "${{ github.server_url }}"
           REF: "${{ github.workflow_ref }}"
           IMAGES: "${{ steps.cosign.outputs.images }}"
-        run: |
+        run: |          
+          read -r -a images_array <<< "${COSIGN_IMAGES}"
           cosign verify \
-            --certificate-identity "$GITHUB_SERVER_URL/$REF" \
-            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" $IMAGES
+            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
+            --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+            "${images_array[@]}"
 
       - name: Create kind cluster
         uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
diff --git a/andreko.patch b/andreko.patch
@@ -0,0 +1,239 @@
+diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
+index c115ab5..18e993a 100644
+--- a/.github/workflows/build.yml
++++ b/.github/workflows/build.yml
+@@ -31,15 +31,17 @@ jobs:
+     steps:
+       - name: Check out repo
+         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
++        with:
++          persist-credentials: false
+ 
+       - name: Set up QEMU
+-        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3
++        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
+ 
+       - name: Set up Docker Buildx
+         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+ 
+       - name: Log in to GitHub Container Registry
+-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
++        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+         with:
+           registry: ghcr.io
+           username: ${{ github.actor }}
+@@ -53,7 +55,7 @@ jobs:
+           make test
+ 
+       - name: Upload to codecov.io
+-        uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2
++        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+ 
+       - name: Generate Docker image tag
+         id: tag
+@@ -63,12 +65,14 @@ jobs:
+           if [[ "$EVENT_TYPE" == "pull_request" ]]; then
+             IMAGE_TAG="pr-${{ github.event.pull_request.number }}"
+           else
+-            IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g")  # slash safe branch name
+-            if [[ "$IMAGE_TAG" == "main" ]]; then
+-              IMAGE_TAG=dev
++            ref="${GITHUB_REF:11}"
++            IMAGE_TAG="${ref//\//-}"
++
++            if [[ "${IMAGE_TAG}" == "main" ]]; then
++              IMAGE_TAG="dev"
+             fi
+           fi
+-          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
++          echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+ 
+       - name: Generate image tag(s)
+         id: image-tags
+@@ -76,13 +80,13 @@ jobs:
+           IMAGE_TAG: ${{ steps.tag.outputs.image_tag }}
+           SHA: ${{ github.sha }}
+         run: |
+-          TAGS="${{ env._IMAGE_NAME }}:${{ env.IMAGE_TAG }}"
+-          echo "primary_tag=$TAGS" >> $GITHUB_OUTPUT
++          TAGS="$_IMAGE_NAME:$IMAGE_TAG"
++          echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
+           if [[ "$IMAGE_TAG" == "dev" ]]; then
+-            SHORT_SHA="$(git rev-parse --short ${SHA})"
+-            TAGS="$TAGS,${{ env._IMAGE_NAME }}:${{ env.IMAGE_TAG }}-${SHORT_SHA}"
++            SHORT_SHA="$(git rev-parse --short "${SHA}")"
++            TAGS="$TAGS,$TAGS-${SHORT_SHA}"
+           fi
+-          echo "tags=$TAGS" >> $GITHUB_OUTPUT
++          echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
+ 
+       - name: Build Docker image
+         id: build-docker
+@@ -96,7 +100,7 @@ jobs:
+ 
+       - name: Install Cosign
+         if: ${{ env._PUSH_IMAGE == 'true' }}
+-        uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
++        uses: sigstore/cosign-installer@d7543c93d881b35a8faa02e8e3605f69b7a1ce62 # v3.10.0
+ 
+       - name: Sign image with Cosign
+         if: ${{ env._PUSH_IMAGE == 'true' }}
+@@ -105,24 +109,31 @@ jobs:
+           DIGEST: ${{ steps.build-docker.outputs.digest }}
+           TAGS: ${{ steps.image-tags.outputs.tags }}
+         run: |
+-          IFS="," read -a tags <<< "${TAGS}"
+-          images=""
+-          for tag in "${tags[@]}"; do
+-            images+="${tag}@${DIGEST} "
++          IFS="," read -r -a combined_tags <<< "${TAGS}"
++          images=()
++          for tag in "${combined_tags[@]}"; do
++            images+=("${tag}@${DIGEST}")
+           done
+-          cosign sign --yes ${images}
+-          echo "images=${images}" >> $GITHUB_OUTPUT
++          cosign sign --yes "${images[@]}"
++          {
++            printf 'images='
++            printf '%s ' "${images[@]}"
++            echo
++          } >> "$GITHUB_OUTPUT"
+ 
+       - name: Verify the signed image with Cosign
+         if: ${{ env._PUSH_IMAGE == 'true' }}
++        env:
++          REF: ${{ github.workflow_ref }}
++          IMAGES: ${{ steps.cosign.outputs.images }}
+         run: |
+           cosign verify \
+-            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
++            --certificate-identity "${{ github.server_url }}/$REF" \
+             --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
+-            ${{ steps.cosign.outputs.images }}
++            "$IMAGES"
+ 
+       - name: Create kind cluster
+-        uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0
++        uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
+ 
+       - name: Load image into kind
+         if: ${{ env._PUSH_IMAGE != 'true' }}
+@@ -136,7 +147,7 @@ jobs:
+         env:
+           IMAGE: ${{ steps.image-tags.outputs.primary_tag }}
+         run: |
+-          make deploy IMG=$IMAGE
++          make deploy IMG="$IMAGE"
+ 
+           count=0
+           while [[ $(kubectl get pods -n sm-operator-system -l control-plane=controller-manager -o jsonpath="{.items[*].status.containerStatuses[*].ready}") != "true" ]]; do
+@@ -153,7 +164,7 @@ jobs:
+ 
+           echo "*****PODS*****"
+           pods=$(kubectl get pods -n sm-operator-system -l control-plane=controller-manager | grep 2/2)
+-          echo $pods
++          echo "$pods"
+ 
+           if [[ -z "$pods" ]]; then
+             echo "::error::No pods found."
+diff --git a/.github/workflows/bump-version.yml b/.github/workflows/bump-version.yml
+index 8f8bbb6..5926b49 100644
+--- a/.github/workflows/bump-version.yml
++++ b/.github/workflows/bump-version.yml
+@@ -26,10 +26,12 @@ jobs:
+             echo "Error: Version number ($_VERSION_NUMBER) is not in semantic version format (X.Y.Z)"
+             exit 1
+           fi
+-          echo "branch_name=version_bump_$_VERSION_NUMBER" >> $GITHUB_OUTPUT
++          echo "branch_name=version_bump_$_VERSION_NUMBER" >> "$GITHUB_OUTPUT"
+ 
+       - name: Check out repo
+         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
++        with:
++          persist-credentials: true
+ 
+       - name: Log in to Azure
+         uses: bitwarden/gh-actions/azure-login@main
+@@ -49,7 +51,7 @@ jobs:
+         uses: bitwarden/gh-actions/azure-logout@main
+ 
+       - name: Import GPG key
+-        uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 # v6.1.0
++        uses: crazy-max/ghaction-import-gpg@e89d40939c28e39f97cf32126055eeae86ba74ec # v6.3.0
+         with:
+           gpg_private_key: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key }}
+           passphrase: ${{ steps.retrieve-secrets.outputs.github-gpg-private-key-passphrase }}
+@@ -57,7 +59,9 @@ jobs:
+           git_commit_gpgsign: true
+ 
+       - name: Create branch
+-        run: git switch -c "${{ steps.setup.outputs.branch_name }}"
++        env:
++          BRANCH_NAME: "${{ steps.setup.outputs.branch_name }}"
++        run: git switch -c "$BRANCH_NAME"
+ 
+       - name: Bump version
+         run: |
+@@ -72,10 +76,10 @@ jobs:
+         id: version-changed
+         run: |
+           if [ -n "$(git status --porcelain)" ]; then
+-            echo "changes_to_commit=TRUE" >> $GITHUB_OUTPUT
++            echo "changes_to_commit=TRUE" >> "$GITHUB_OUTPUT"
+             git diff
+           else
+-            echo "changes_to_commit=FALSE" >> $GITHUB_OUTPUT
++            echo "changes_to_commit=FALSE" >> "$GITHUB_OUTPUT"
+             echo "No changes to commit!";
+           fi
+ 
+@@ -85,7 +89,9 @@ jobs:
+ 
+       - name: Push changes
+         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
+-        run: git push -u origin "${{ steps.setup.outputs.branch_name }}"
++        env:
++          BRANCH_NAME: "${{ steps.setup.outputs.branch_name }}"
++        run: git push -u origin "$BRANCH_NAME"
+ 
+       - name: Create version PR
+         if: ${{ steps.version-changed.outputs.changes_to_commit == 'TRUE' }}
+diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
+index 160d999..59b665b 100644
+--- a/.github/workflows/release.yml
++++ b/.github/workflows/release.yml
+@@ -33,12 +33,14 @@ jobs:
+ 
+       - name: Check out repo
+         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
++        with:
++          persist-credentials: false
+ 
+       - name: Get version
+         id: version
+         run: |
+           VERSION=$(sed -nE 's/^VERSION\s+\?=\s+([^\s]+)/\1/p' Makefile)
+-          echo "version=$VERSION" >> $GITHUB_OUTPUT
++          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+ 
+   release:
+     name: Release
+@@ -52,7 +54,7 @@ jobs:
+     steps:
+       - name: Create release
+         if: ${{ inputs.release_type != 'Dry Run' }}
+-        uses: ncipollo/release-action@bcfe5470707e8832e12347755757cec0eb3c22af # v1.18.0
++        uses: ncipollo/release-action@b7eabc95ff50cbeeedec83973935c8f306dfcd0b # v1.20.0
+         with:
+           commit: ${{ github.sha }}
+           tag: v${{ env._PKG_VERSION }}
+@@ -76,7 +78,7 @@ jobs:
+ 
+     steps:
+       - name: Log in to GitHub Container Registry
+-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
++        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
+         with:
+           registry: ghcr.io
+           username: ${{ github.actor }}
