ci: add zizmor to lint-actions (#37720)

Adds [zizmor](https://docs.zizmor.sh/) to `make lint-actions` with `--min-confidence=medium`. Fixes the remaining findings: - Pin floating-tag service images in `pull-db-tests.yml` to `tag@sha256:digest` - Move `github.ref` / `github.ref_name` (and surrounding secrets/step outputs for consistency) out of `run:` into `env:` --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io>
2026-05-23 05:42:33 +09:00 · 2026-05-16 10:38:46 +02:00
parent 4e837fed97
commit 02be228ed6
8 changed files with 75 additions and 23 deletions
--- a/.github/workflows/pull-compliance.yml
+++ b/.github/workflows/pull-compliance.yml
@@ -52,10 +52,12 @@ jobs:

      - run: make lint-spell

-      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
+      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true' || needs.files-changed.outputs.actions == 'true'
        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          python-version: 3.14
      - if: needs.files-changed.outputs.templates == 'true' || needs.files-changed.outputs.yaml == 'true'
-        run: uv python install 3.14 && make deps-py lint-templates lint-yaml
+        run: make deps-py lint-templates lint-yaml

      - if: needs.files-changed.outputs.docs == 'true' || needs.files-changed.outputs.swagger == 'true' || needs.files-changed.outputs.json == 'true'
        run: make deps-frontend lint-md lint-swagger lint-json