actions/mise-action
12
0
Fork 0
mirror of https://github.com/jdx/mise-action.git synced 2026-05-15 14:20:32 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 8
mise-action/scripts
History
jdx d878aee510
ci: address zizmor findings across existing workflows 
Resolves all findings exposed by the new zizmor check in PR #471
so the audit can run clean. Verified locally with zizmor v1.24.1
(0 findings, 34 suppressed).

- artipacked: add `persist-credentials: false` to every
  `actions/checkout` step that didn't already set it.
- cache-poisoning: pass `cache: false` to mise-action in
  `ci.yml` (the lint/format job doesn't need a tool cache).
- template-injection: in test.yml's checksum_failure job,
  move `steps.bad.outcome` from inline template into an
  env var consumed by the shell script.
- excessive-permissions: add minimal workflow-level
  `permissions: contents: read` blocks to ci.yml, test.yml,
  and test-redacted-env.yml; move release.yml's workflow-
  level `contents: write` down to the `release` job only,
  with `enhance-release` getting `contents: read`.

postversion.sh now runs `gh auth setup-git` before
`git push` — the checkout uses `persist-credentials: false`,
so the token isn't in .git/config and raw `git push` would
otherwise 403.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-12 14:55:38 -05:00
..
postversion.sh ci: address zizmor findings across existing workflows 2026-05-12 14:55:38 -05:00
release-plz.sh chore: remove duplicate release-plz logic 2025-08-18 11:57:51 -05:00
test.sh chore: fix release-plz 2025-08-18 11:51:16 -05:00
version.sh docs: hide version commits in CHANGELOG 2025-04-22 23:07:01 -05:00