From cae8f3e8e16cac5b469d6032e943d2e9040e31ce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 5 Dec 2025 10:14:44 +0100 Subject: [PATCH 1/4] chore: enable more linter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .github/workflows/ci.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index baa85868..b6f09d60 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -129,8 +129,9 @@ jobs: VALIDATE_BASH_EXEC: true VALIDATE_EDITORCONFIG: true VALIDATE_ENV: true - # VALIDATE_GO_RELEASER: true + VALIDATE_GO_RELEASER: true VALIDATE_GITHUB_ACTIONS: true + VALIDATE_GITHUB_ACTIONS_ZIZMOR: true VALIDATE_HTML: true VALIDATE_JSON: true VALIDATE_NATURAL_LANGUAGE: true From cda26ae7325028996a749e487c8db41a65a72522 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 5 Dec 2025 10:17:30 +0100 Subject: [PATCH 2/4] chore: enable more linter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .golangci.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.golangci.yaml b/.golangci.yaml index b4f5e373..afa3ac99 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -71,12 +71,14 @@ linters: - name: error-return - name: error-strings - name: errorf + - name: forbidden-call-in-wg-go - name: get-return - name: identical-branches - name: if-return - name: import-alias-naming - name: import-shadowing - name: increment-decrement + - name: inefficient-map-lookup - name: indent-error-flow - name: modifies-parameter - name: modifies-value-receiver @@ -106,6 +108,7 @@ linters: - name: time-naming - name: unconditional-recursion - name: unexported-naming + - name: unnecessary-if - name: unnecessary-stmt - name: unreachable-code - name: unused-parameter From 5e518a7a481ee3f545e72164839f585a2b15d4d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 5 Dec 2025 10:24:29 +0100 Subject: [PATCH 3/4] chore: enable more linter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .github/workflows/ci.yaml | 9 +++++++++ .github/zizmor.yml | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index b6f09d60..b7684125 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -19,6 +19,8 @@ jobs: contents: read steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: 'false' - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: @@ -56,6 +58,7 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'false' fetch-depth: 0 - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 @@ -93,6 +96,9 @@ jobs: contents: read steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: 'false' + - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 with: go-version-file: 'go.mod' @@ -116,6 +122,7 @@ jobs: - name: Checkout Code uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'false' fetch-depth: 0 - name: Lint Code Base @@ -124,6 +131,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} MULTI_STATUS: false LINTER_RULES_PATH: . + GITHUB_ACTIONS_ZIZMOR_CONFIG_FILE: ./.github/zizmor.yml VALIDATE_ALL_CODEBASE: true VALIDATE_BASH: true VALIDATE_BASH_EXEC: true @@ -159,6 +167,7 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'false' fetch-depth: 0 - uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0 diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..58b562cf --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,3 @@ +rules: + cache-poisoning: + disable: true From 4d559932fa9672d27e76f2e2fafd364ca197ed3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan-Otto=20Kr=C3=B6pke?= Date: Fri, 5 Dec 2025 10:28:47 +0100 Subject: [PATCH 4/4] chore: enable more linter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Jan-Otto Kröpke --- .github/workflows/pr-check.yaml | 4 ++++ .github/workflows/wiki.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/pr-check.yaml b/.github/workflows/pr-check.yaml index c66d83d2..4c9db7b3 100644 --- a/.github/workflows/pr-check.yaml +++ b/.github/workflows/pr-check.yaml @@ -8,10 +8,14 @@ on: - labeled - unlabeled +permissions: {} + jobs: required-labels-missing: name: required labels missing runs-on: ubuntu-latest + permissions: + contents: read steps: - name: check if: >- diff --git a/.github/workflows/wiki.yaml b/.github/workflows/wiki.yaml index 6f3f2768..7679103c 100644 --- a/.github/workflows/wiki.yaml +++ b/.github/workflows/wiki.yaml @@ -18,8 +18,12 @@ jobs: steps: - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 + with: + persist-credentials: 'false' + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 with: + persist-credentials: 'true' repository: ${{ github.repository }}.wiki path: wiki.git