* ci: fix issues indentified by zizmor GHA linter
This fixes issues identified by the zizmor linter which checks for
Github Actions security best practicies.
Summary of changes:
- Remove possibilities for shell injection. These can all only be
activated by workflow_dispatch input provided by people who already
have access to the repository but still a good idea to tidy this up.
Many of these occur in the build-package-docs actions. We should test
everything to make sure nothing is broken by these changes.
- Explicitly set permissions. This is not strictly required, because we
already enforce a limited set of default permissions in the repo's GHA
settings, but zizmor wants us to be explicit.
- Use `persist-credentials: false` with the checkout action.
Also, when rebasing this commit, I added back the manual `nox -s
clone-core` step to keep the outputs separate.
* ci: run zizmor in CI and noxfile
- Adds lockfile
- Adds nox session
- Adds nox session to CI matrix
* ci: fix additional issues identified by zizmor
- Add default permissions to new workflows
- Add cooldown to dependabot
* ci: add zizmor configuration for unpinned-uses
We could configure dependabot to pin shared workflow commit SHA hashes,
but for now, let's relax the unpinned-uses relax
* ci: restore secrets: inheirt for pip-compile workflows
See comment for more details.
* ci: fix token auth for pip-compile workflow
* README: mention that lint session runs GHA checks
* Update noxfile.py
Co-authored-by: Don Naro <dnaro@redhat.com>
* nox zizmor: allow overriding persona
* nox: actually run zizmor as part of lint session
* ci: use GHA expression instead of shell test
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>
* ci: use Python to avoid shell+json quoting issues
---------
Co-authored-by: Don Naro <dnaro@redhat.com>
Co-authored-by: 🇺🇦 Sviatoslav Sydorenko (Святослав Сидоренко) <wk@sydorenko.org.ua>
