Fix some issues pointed out by zizmor (#96)

felixfontein · web-flow · commit fe35f67c3bcf · 2024-12-14T16:50:19.000+01:00
* Fix some issues pointed out by zizmor.

* Avoid templating in scripts in actions.
diff --git a/.github/workflows/_shared-docs-build-pr.yml b/.github/workflows/_shared-docs-build-pr.yml
@@ -229,6 +229,11 @@ jobs:
       - name: Variable setup
         id: vars
         uses: actions/github-script@v7
+        env:
+          RUNNER_TEMP: ${{ runner.temp }}
+          EVENT_ACTION: ${{ github.event.action }}
+          MERGE_COMMIT_SHA: ${{ github.event.pull_request.merge_commit_sha }}
+          GITHUB_EVENT_NUMBER: ${{ github.event.number }}
         with:
           script: |
             const inputs = ${{ toJSON(inputs) }}
@@ -244,7 +249,7 @@ jobs:
             core.setOutput('col-path', colpath)
             core.setOutput('checkout-path', checkoutPath)
 
-            var initPath = '${{ runner.temp }}/docsbuild'
+            var initPath = `${RUNNER_TEMP}/docsbuild`
             var skipInit = false
 
             if (inputs['init-dest-dir'] != '') {
@@ -268,10 +273,10 @@ jobs:
             // See also:
             // - https://github.com/ansible-community/github-docs-build/issues/36
 
-            if ('${{ github.event.action }}' == 'closed') {
-                core.setOutput('pr-checkout-ref', '${{ github.event.pull_request.merge_commit_sha }}')
+            if (`${EVENT_ACTION}` == 'closed') {
+                core.setOutput('pr-checkout-ref', `${MERGE_COMMIT_SHA}`)
             } else {
-                core.setOutput('pr-checkout-ref', 'refs/pull/${{ github.event.number }}/merge')
+                core.setOutput('pr-checkout-ref', `refs/pull/${GITHUB_EVENT_NUMBER}/merge`)
             }
 
       - name: Set up Python
@@ -280,20 +285,25 @@ jobs:
           python-version: ${{ inputs.python }}
 
       - name: Install Ansible
-        run: pip install https://github.com/ansible/ansible/archive/${{ inputs.ansible-ref }}.tar.gz --disable-pip-version-check
+        env: 
+          ANSIBLE_REF: ${{ inputs.ansible-ref }}
+        run: pip install "https://github.com/ansible/ansible/archive/${ANSIBLE_REF}.tar.gz" --disable-pip-version-check
 
       - name: Install extra collections
         shell: bash
+        env:
+          EXTRA_COLLECTIONS: ${{ inputs.extra-collections }}
         run: |
-          if [[ "${{ inputs.extra-collections }}" != "" ]] ; then
-            ansible-galaxy collection install ${{ inputs.extra-collections }}
+          if [[ "${EXTRA_COLLECTIONS}" != "" ]] ; then
+            ansible-galaxy collection install ${EXTRA_COLLECTIONS}
           fi
 
       - name: Checkout BASE
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.base.sha }}
           path: ${{ steps.vars.outputs.checkout-path }}
+          persist-credentials: false
 
       - name: Initialize the build environment (BASE)
         id: init-base
@@ -339,6 +349,7 @@ jobs:
           # a PR, **but** then we get https://github.com/ansible-community/github-docs-build/issues/3 back...
           ref: ${{ steps.vars.outputs.pr-checkout-ref }}
           path: ${{ steps.vars.outputs.checkout-path }}
+          persist-credentials: false
 
       - name: Initialize the build environment (HEAD)
         id: init-head
diff --git a/.github/workflows/_shared-docs-build-publish-gh-pages.yml b/.github/workflows/_shared-docs-build-publish-gh-pages.yml
@@ -119,6 +119,7 @@ jobs:
           ref: gh-pages
           path: gh-pages-checkout
           token: ${{ secrets.GH_TOKEN }}
+          persist-credentials: false
 
       - name: Setup GitHub Pages
         if: inputs.publish-gh-pages-branch
diff --git a/.github/workflows/_shared-docs-build-publish-surge.yml b/.github/workflows/_shared-docs-build-publish-surge.yml
@@ -52,9 +52,15 @@ jobs:
       - name: Publish site
         if: inputs.action == 'publish'
         working-directory: html
-        run: surge ./ "${{ inputs.surge-site-name }}" --token ${{ secrets.SURGE_TOKEN }}
+        env:
+          SURGE_SITE_NAME: ${{ inputs.surge-site-name }}
+          SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
+        run: surge ./ "${SURGE_SITE_NAME}" --token "${SURGE_TOKEN}"
 
       - name: Teardown site
         if: inputs.action == 'teardown'
-        run: surge teardown "${{ inputs.surge-site-name }}" --token ${{ secrets.SURGE_TOKEN }}
+        env:
+          SURGE_SITE_NAME: ${{ inputs.surge-site-name }}
+          SURGE_TOKEN: ${{ secrets.SURGE_TOKEN }}
+        run: surge teardown "${SURGE_SITE_NAME}" --token "${SURGE_TOKEN}"
         continue-on-error: true
diff --git a/.github/workflows/_shared-docs-build-push.yml b/.github/workflows/_shared-docs-build-push.yml
@@ -159,6 +159,8 @@ jobs:
       - name: Variable setup
         id: vars
         uses: actions/github-script@v7
+        env:
+          RUNNER_TEMP: ${{ runner.temp }}
         with:
           script: |
             const inputs = ${{ toJSON(inputs) }}
@@ -181,7 +183,7 @@ jobs:
             core.setOutput('col-path', colpath)
             core.setOutput('checkout-path', checkoutPath)
 
-            var initPath = '${{ runner.temp }}/docsbuild'
+            var initPath = `${RUNNER_TEMP}/docsbuild`
             var skipInit = false
 
             if (inputs['init-dest-dir'] != '') {
@@ -198,20 +200,26 @@ jobs:
           python-version: ${{ inputs.python }}
 
       - name: Install Ansible
-        run: pip install https://github.com/ansible/ansible/archive/${{ inputs.ansible-ref }}.tar.gz --disable-pip-version-check
+        env:
+          ANSIBLE_REF: ${{ inputs.ansible-ref }}
+        run: >
+          pip install "https://github.com/ansible/ansible/archive/${ANSIBLE_REF}.tar.gz" --disable-pip-version-check
 
       - name: Install extra collections
         shell: bash
+        env:
+          EXTRA_COLLECTIONS: ${{ inputs.extra-collections }}
         run: |
-          if [[ "${{ inputs.extra-collections }}" != "" ]] ; then
-            ansible-galaxy collection install ${{ inputs.extra-collections }}
+          if [[ "${EXTRA_COLLECTIONS}" != "" ]] ; then
+            ansible-galaxy collection install ${EXTRA_COLLECTIONS}
           fi
 
       - name: Checkout
         uses: actions/checkout@v4
         with:
           path: ${{ steps.vars.outputs.checkout-path }}
           ref: ${{ inputs.build-ref }}
+          persist-credentials: false
 
       - name: Initialize the build environment
         id: init
diff --git a/.github/workflows/generate-wiki-docs.yml b/.github/workflows/generate-wiki-docs.yml
@@ -24,13 +24,16 @@ jobs:
     steps:
       - if: fromJSON(env.SHOULD_RUN)
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Checkout wiki
         if: fromJSON(env.SHOULD_RUN)
         uses: actions/checkout@v4
         with:
           repository: ${{ github.repository }}.wiki
           path: ${{ env.WIKI }}
+          persist-credentials: false
 
       - uses: actions/setup-python@v5
         if: fromJSON(env.SHOULD_RUN)
diff --git a/.github/workflows/test-action-build-html.yml b/.github/workflows/test-action-build-html.yml
@@ -23,6 +23,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Simple 1 invoke - no copy, no artifact
         id: simple1
@@ -40,11 +42,18 @@ jobs:
 
       - name: Simple 1 - assert
         shell: python
+        env:
+          EXPECTED_HASH: ${{ hashFiles('.test/simple-build/src') }}
+          OUTPUT_HASH: ${{ steps.simple1.outputs.hash }}
+          OUTPUT_BUILD_HTML: ${{ steps.simple1.outputs.build-html }}
+          ARTIFACT_HASH: ${{ hashFiles(steps.simple1-artifact.outputs.download-path) }}
         run: |
-          expected_hash = r'${{ hashFiles('.test/simple-build/src') }}'
-          output_hash = r'${{ steps.simple1.outputs.hash }}'
-          output_build_html = r'${{ steps.simple1.outputs.build-html }}'
-          artifact_hash = r'${{ hashFiles(steps.simple1-artifact.outputs.download-path) }}'
+          import os
+
+          expected_hash = os.environ['ARTIFACT_HASH']
+          output_hash = os.environ['OUTPUT_HASH']
+          output_build_html = os.environ['OUTPUT_BUILD_HTML']
+          artifact_hash = os.environ['ARTIFACT_HASH']
 
           assert output_build_html == '.test/simple-build/build/html'
           assert output_hash == expected_hash
@@ -67,12 +76,20 @@ jobs:
 
       - name: Simple 2 - assert
         shell: python
+        env:
+          expected_hash: ${{ hashFiles('.test/simple-build/src') }}
+          output_hash: ${{ steps.simple2.outputs.hash }}
+          output_build_html: ${{ steps.simple2.outputs.build-html }}
+          artifact_hash: ${{ hashFiles(steps.simple2-artifact.outputs.download-path) }}
+          original_build_hash: ${{ hashFiles('.test/simple-build/build/html') }}
         run: |
-          expected_hash = r'${{ hashFiles('.test/simple-build/src') }}'
-          output_hash = r'${{ steps.simple2.outputs.hash }}'
-          output_build_html = r'${{ steps.simple2.outputs.build-html }}'
-          artifact_hash = r'${{ hashFiles(steps.simple2-artifact.outputs.download-path) }}'
-          original_build_hash = r'${{ hashFiles('.test/simple-build/build/html') }}'
+          import os
+
+          expected_hash = os.environ['expected_hash']
+          output_hash = os.environ['output_hash']
+          output_build_html = os.environ['output_build_html']
+          artifact_hash = os.environ['artifact_hash']
+          original_build_hash = os.environ['original_build_hash']
 
           assert output_build_html == '.copies/simple2/html'
           assert output_hash == expected_hash
@@ -97,26 +114,36 @@ jobs:
 
       - name: Simple 3 - assert
         shell: python
+        env:
+          expected_hash: ${{ hashFiles('.test/simple-build/src') }}
+          output_hash: ${{ steps.simple3.outputs.hash }}
+          output_build_html: ${{ steps.simple3.outputs.build-html }}
+          artifact_hash: ${{ hashFiles(steps.simple3-artifact.outputs.download-path) }}
         run: |
-          expected_hash = r'${{ hashFiles('.test/simple-build/src') }}'
-          output_hash = r'${{ steps.simple3.outputs.hash }}'
-          output_build_html = r'${{ steps.simple3.outputs.build-html }}'
-          artifact_hash = r'${{ hashFiles(steps.simple3-artifact.outputs.download-path) }}'
+          import os
+
+          expected_hash = os.environ['expected_hash']
+          output_hash = os.environ['output_hash']
+          output_build_html = os.environ['output_build_html']
+          artifact_hash = os.environ['artifact_hash']
 
           assert output_build_html == '.test/simple-build/build/html'
           assert output_hash == expected_hash
           assert artifact_hash == output_hash
 
       - name: Simple 3 - bash asserts
+        env:
+          ARTIFACTS_URL: ${{ steps.simple3.outputs.artifact-url }}
+          DOWNLOAD_PATH: ${{ steps.simple3-artifact.outputs.download-path }}
         run: |
           set -eu
 
           # this URL only goes to the run page, not to an individual artifact
           # so all we're really checking here is that it's a valid URL that's accessible
-          wget '${{ steps.simple3.outputs.artifact-url }}'
+          wget "${ARTIFACTS_URL}"
 
           # ensure that the html directory is not present in the downloaded artifact
-          test ! -d "${{ steps.simple3-artifact.outputs.download-path }}/html"
+          test ! -d "${DOWNLOAD_PATH}/html"
 
       - name: Simple 4 invoke - with copy, with artifact
         id: simple4
@@ -137,28 +164,39 @@ jobs:
 
       - name: Simple 4 - assert
         shell: python
+        env:
+          expected_hash: ${{ hashFiles('.test/simple-build/src') }}
+          output_hash: ${{ steps.simple4.outputs.hash }}
+          output_build_html: ${{ steps.simple4.outputs.build-html }}
+          artifact_hash: ${{ hashFiles(steps.simple4-artifact.outputs.download-path) }}
+          original_build_hash: ${{ hashFiles('.test/simple-build/build/html') }}
         run: |
-          expected_hash = r'${{ hashFiles('.test/simple-build/src') }}'
-          output_hash = r'${{ steps.simple4.outputs.hash }}'
-          output_build_html = r'${{ steps.simple4.outputs.build-html }}'
-          artifact_hash = r'${{ hashFiles(steps.simple4-artifact.outputs.download-path) }}'
-          original_build_hash = r'${{ hashFiles('.test/simple-build/build/html') }}'
+          import os
+
+          expected_hash = os.environ['expected_hash']
+          output_hash = os.environ['output_hash']
+          output_build_html = os.environ['output_build_html']
+          artifact_hash = os.environ['artifact_hash']
+          original_build_hash = os.environ['original_build_hash']
 
           assert output_build_html == '.copies/simple4/html'
           assert output_hash == expected_hash
           assert output_hash == original_build_hash
           assert artifact_hash == output_hash
 
       - name: Simple 4 - bash asserts
+        env:
+          ARTIFACTS_URL: ${{ steps.simple4.outputs.artifact-url }}
+          DOWNLOAD_PATH: ${{ steps.simple4-artifact.outputs.download-path }}
         run: |
           set -eu
 
           # this URL only goes to the run page, not to an individual artifact
           # so all we're really checking here is that it's a valid URL that's accessible
-          wget '${{ steps.simple4.outputs.artifact-url }}'
+          wget "${ARTIFACTS_URL}"
 
           # ensure that the html directory is not present in the downloaded artifact
-          test ! -d "${{ steps.simple4-artifact.outputs.download-path }}/html"
+          test ! -d "${DOWNLOAD_PATH}/html"
 
       - name: Simple 5 invoke - with copy, with artifact, trailing slash in input
         id: simple5
@@ -179,25 +217,36 @@ jobs:
 
       - name: Simple 5 - assert
         shell: python
+        env:
+          expected_hash: ${{ hashFiles('.test/simple-build/src') }}
+          output_hash: ${{ steps.simple5.outputs.hash }}
+          output_build_html: ${{ steps.simple5.outputs.build-html }}
+          artifact_hash: ${{ hashFiles(steps.simple5-artifact.outputs.download-path) }}
+          original_build_hash: ${{ hashFiles('.test/simple-build/build/html/') }}
         run: |
-          expected_hash = r'${{ hashFiles('.test/simple-build/src') }}'
-          output_hash = r'${{ steps.simple5.outputs.hash }}'
-          output_build_html = r'${{ steps.simple5.outputs.build-html }}'
-          artifact_hash = r'${{ hashFiles(steps.simple5-artifact.outputs.download-path) }}'
-          original_build_hash = r'${{ hashFiles('.test/simple-build/build/html/') }}'
+          import os
+
+          expected_hash = os.environ['expected_hash ']
+          output_hash = os.environ['output_hash']
+          output_build_html = os.environ['output_build_html']
+          artifact_hash = os.environ['artifact_hash']
+          original_build_hash = os.environ['original_build_hash']
 
           assert output_build_html == '.copies/simple5/html/'
           assert output_hash == expected_hash
           assert output_hash == original_build_hash
           assert artifact_hash == output_hash
 
       - name: Simple 5 - bash asserts
+        env:
+          ARTIFACTS_URL: ${{ steps.simple5.outputs.artifact-url }}
+          DOWNLOAD_PATH: ${{ steps.simple5-artifact.outputs.download-path }}
         run: |
           set -eu
 
           # this URL only goes to the run page, not to an individual artifact
           # so all we're really checking here is that it's a valid URL that's accessible
-          wget '${{ steps.simple5.outputs.artifact-url }}'
+          wget "${ARTIFACTS_URL}"
 
           # ensure that the html directory is not present in the downloaded artifact
-          test ! -d "${{ steps.simple5-artifact.outputs.download-path }}/html"
+          test ! -d "${DOWNLOAD_PATH}/html"
diff --git a/.github/workflows/test-action-build-init.yml b/.github/workflows/test-action-build-init.yml
@@ -109,6 +109,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Python
         uses: actions/setup-python@v5
diff --git a/actions/ansible-docs-build-diff/action.yml b/actions/ansible-docs-build-diff/action.yml
@@ -81,12 +81,15 @@ runs:
     - name: Delete files that should not be included in the diff
       id: delete
       shell: bash
+      env:
+        BUILD_HTML_A: ${{ inputs.build-html-a }}
+        BUILD_HTML_B: ${{ inputs.build-html-b }}
       run: |
-        echo "::group::Deleting files from ${{ inputs.build-html-a }}"
-        find "${{ inputs.build-html-a }}" \( -name '*.js' -or -name '*.inv' \) -delete -print
+        echo "::group::Deleting files from ${BUILD_HTML_A}"
+        find "${BUILD_HTML_A}" \( -name '*.js' -or -name '*.inv' \) -delete -print
         echo "::endgroup::"
-        echo "::group::Deleting files from ${{ inputs.build-html-b }}"
-        find "${{ inputs.build-html-b }}" \( -name '*.js' -or -name '*.inv' \) -delete -print
+        echo "::group::Deleting files from ${BUILD_HTML_B}"
+        find "${BUILD_HTML_B}" \( -name '*.js' -or -name '*.inv' \) -delete -print
         echo "::endgroup::"
 
     - name: Create diff
diff --git a/actions/ansible-docs-build-html/action.yml b/actions/ansible-docs-build-html/action.yml
diff --git a/actions/ansible-docs-build-init/action.yml b/actions/ansible-docs-build-init/action.yml
