chore(ci): workflows with zizmor remediations

lelia · lelia · commit 786f8d627342 · 2026-03-31T16:51:33.000-04:00
Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/.github/workflows/_docker-pipeline.yml b/.github/workflows/_docker-pipeline.yml
@@ -66,6 +66,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: 🔨 Set up Docker Buildx
         uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
diff --git a/.github/workflows/dependabot-review.yml b/.github/workflows/dependabot-review.yml
@@ -13,7 +13,7 @@ concurrency:
 
 jobs:
   inspect:
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
     runs-on: ubuntu-latest
     outputs:
       root_docker_changed: ${{ steps.diff.outputs.root_docker_changed }}
@@ -66,7 +66,7 @@ jobs:
 
   docker-smoke-main:
     needs: inspect
-    if: github.actor == 'dependabot[bot]' && needs.inspect.outputs.root_docker_changed == 'true'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && needs.inspect.outputs.root_docker_changed == 'true'
     uses: ./.github/workflows/_docker-pipeline.yml
     permissions:
       contents: read
@@ -79,7 +79,7 @@ jobs:
 
   docker-smoke-app-tests:
     needs: inspect
-    if: github.actor == 'dependabot[bot]' && needs.inspect.outputs.app_tests_docker_changed == 'true'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && needs.inspect.outputs.app_tests_docker_changed == 'true'
     uses: ./.github/workflows/_docker-pipeline.yml
     permissions:
       contents: read
@@ -92,7 +92,7 @@ jobs:
 
   workflow-notice:
     needs: inspect
-    if: github.actor == 'dependabot[bot]' && needs.inspect.outputs.workflow_or_action_changed == 'true'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && needs.inspect.outputs.workflow_or_action_changed == 'true'
     runs-on: ubuntu-latest
     steps:
       - name: Flag workflow-sensitive updates
diff --git a/.github/workflows/publish-docker.yml b/.github/workflows/publish-docker.yml
@@ -42,6 +42,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           ref: ${{ github.event_name == 'workflow_dispatch' && inputs.tag || github.ref }}
+          persist-credentials: false
 
       - name: 🏷️ Resolve version
         id: version
@@ -97,6 +98,7 @@ jobs:
         with:
           ref: main
           fetch-depth: 0
+          persist-credentials: false
 
       - name: 🤖 Generate socket-release-bot token
         id: bot
diff --git a/action.yml b/action.yml
@@ -76,6 +76,7 @@ runs:
     INPUT_SWIFT_DISABLED_RULES: ${{ inputs.swift_disabled_rules }}
     INPUT_SWIFT_ENABLED_RULES: ${{ inputs.swift_enabled_rules }}
     INPUT_SWIFT_SAST_ENABLED: ${{ inputs.swift_sast_enabled }}
+    # Trivy-backed scanning is temporarily disabled in the pre-built GitHub Action image.
     INPUT_TRIVY_DISABLED_RULES: ${{ inputs.trivy_disabled_rules }}
     INPUT_TRIVY_IMAGE_SCANNING_DISABLED: ${{ inputs.trivy_image_scanning_disabled }}
     INPUT_TRIVY_NOTIFICATION_METHOD: ${{ inputs.trivy_notification_method }}
