ci: add zizmor to lint-actions (#37720)

Adds [zizmor](https://docs.zizmor.sh/) to `make lint-actions` with `--min-confidence=medium`. Fixes the remaining findings: - Pin floating-tag service images in `pull-db-tests.yml` to `tag@sha256:digest` - Move `github.ref` / `github.ref_name` (and surrounding secrets/step outputs for consistency) out of `run:` into `env:` --- This PR was written with the help of Claude Opus 4.7 --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io>
2026-05-23 05:42:33 +09:00 · 2026-05-16 10:38:46 +02:00
parent 4e837fed97
commit 02be228ed6
8 changed files with 75 additions and 23 deletions
--- a/.github/workflows/pull-db-tests.yml
+++ b/.github/workflows/pull-db-tests.yml
@@ -27,7 +27,7 @@ jobs:
        ports:
          - "5432:5432"
      ldap:
-        image: gitea/test-openldap:latest
+        image: gitea/test-openldap:latest@sha256:4ac633b01d684e6b2a458cc0c8530c92f9b3702f6e040ce5f365607df34fbda0
        ports:
          - "389:389"
          - "636:636"
@@ -118,7 +118,7 @@ jobs:
        ports:
          - "7700:7700"
      redis:
-        image: redis
+        image: redis:latest@sha256:94ea4f5ccdaa6b154df99a792986ecb3ffbb3fe7722a197220477f1f3e65f9fe
        options: >- # wait until redis has started
          --health-cmd "redis-cli ping"
          --health-interval 5s
@@ -134,7 +134,7 @@ jobs:
        ports:
          - "9000:9000"
      devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest
+        image: mcr.microsoft.com/azure-storage/azurite:latest@sha256:dae2a5f96553962901304b94e72ef87e299d0825e4b679673bcc527a25076fe4
        ports:
          - 10000:10000
    steps:
@@ -191,7 +191,7 @@ jobs:
        ports:
          - "9200:9200"
      smtpimap:
-        image: tabascoterrier/docker-imap-devel:latest
+        image: tabascoterrier/docker-imap-devel:latest@sha256:3fb7cf50b47693e7b80f6f74abea2def4d7386016931d61359864de8a0aba551
        ports:
          - "25:25"
          - "143:143"
@@ -235,7 +235,7 @@ jobs:
        ports:
          - "1433:1433"
      devstoreaccount1.azurite.local: # https://github.com/Azure/Azurite/issues/1583
-        image: mcr.microsoft.com/azure-storage/azurite:latest
+        image: mcr.microsoft.com/azure-storage/azurite:latest@sha256:dae2a5f96553962901304b94e72ef87e299d0825e4b679673bcc527a25076fe4
        ports:
          - 10000:10000
    steps: