CI: Fix some issues pointed out by zizmor; improve some more workflows (

#107) * Fix some issues pointed out by zizmor. * Replace some script templating expressions with environment variables.
ansible-community · Dec 14, 2024 · 31ac26f · 31ac26f
1 parent f809354
commit 31ac26f
Show file tree

Hide file tree

Showing 3 changed files with 34 additions and 11 deletions.
diff --git a/.github/workflows/ansible-test.yml b/.github/workflows/ansible-test.yml
@@ -53,21 +53,27 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.12
         uses: actions/setup-python@v5
         with:
           python-version: "3.12"
 
       - name: Install dependencies
+        env:
+          ANSIBLE_CORE_1: ${{ matrix.ansible-core-1 }}
         run: |
           sudo apt-get install podman buildah
-          pip install ${{ matrix.ansible-core-1 }}
+          pip install "${ANSIBLE_CORE_1}"
 
       - name: Build ${{ matrix.name }} image
+        env:
+          NAME: ${{ matrix.name }}
         run: |
-          ${{ matrix.name }}/build.sh
-          podman tag localhost/test-image:${{ matrix.name }} "${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${{ matrix.name }}"
+          "${NAME}/build.sh"
+          podman tag "localhost/test-image:${NAME}" "${CONTAINER_REGISTRY}/${CONTAINER_IMAGE_NAME}:${NAME}"
         working-directory: ./ansible-test/
 
       # This is necessary to allow running systemd in rootless containers
@@ -79,28 +85,37 @@ jobs:
       - name: Run basic tests with ${{ matrix.name }} image (${{ matrix.ansible-core-1 }}, Python versions ${{ matrix.python }}, Podman)
         if: ${{ matrix.test-with-podman }}
         env:
+          NAME: ${{ matrix.name }}
+          PYTHON_VERSIONS: ${{ matrix.python }}
           ANSIBLE_TEST_PREFER_PODMAN: 1
         run: |
-          for PYTHON in ${{ matrix.python }}; do
-            ansible-test integration --color -v --python ${PYTHON} --docker localhost/test-image:${{ matrix.name }} shippable/posix/group1/
+          for PYTHON in ${PYTHON_VERSIONS}; do
+            ansible-test integration --color -v --python "${PYTHON}" --docker "localhost/test-image:${NAME}" shippable/posix/group1/
           done
         working-directory: ./.github/ansible-test-tests/ansible_collections/testns/testcol
 
       - name: Copy image from podman to docker
         if: ${{ matrix.test-with-docker }}
+        env:
+          NAME: ${{ matrix.name }}
         run: |
-          podman push localhost/test-image:${{ matrix.name }} docker-daemon:localhost/test-image:${{ matrix.name }}
+          podman push "localhost/test-image:${NAME}" "docker-daemon:localhost/test-image:${NAME}"
 
       - name: Install ansible-core ${{ matrix.ansible-core-2 }}
         if: ${{ matrix.test-with-docker }}
+        env:
+          ANSIBLE_CORE_2: ${{ matrix.ansible-core-2 }}
         run: |
-          pip install https://github.com/ansible/ansible/archive/${{ matrix.ansible-core-2 }}.tar.gz
+          pip install "https://github.com/ansible/ansible/archive/${ANSIBLE_CORE_2}.tar.gz"
 
       - name: Run basic tests with ${{ matrix.name }} image (ansible-core ${{ matrix.ansible-core-2 }}, Python versions ${{ matrix.python }}, Docker)
         if: ${{ matrix.test-with-docker }}
+        env:
+          NAME: ${{ matrix.name }}
+          PYTHON_VERSIONS: ${{ matrix.python }}
         run: |
-          for PYTHON in ${{ matrix.python }}; do
-            ansible-test integration --color -v --python ${PYTHON} --docker localhost/test-image:${{ matrix.name }} shippable/posix/group1/
+          for PYTHON in ${PYTHON_VERSIONS}; do
+            ansible-test integration --color -v --python "${PYTHON}" --docker "localhost/test-image:${NAME}" shippable/posix/group1/
           done
         working-directory: ./.github/ansible-test-tests/ansible_collections/testns/testcol
 

diff --git a/.github/workflows/eerelease.yml b/.github/workflows/eerelease.yml
@@ -44,13 +44,15 @@ jobs:
           repository: ansible-community/images
           ref: main
           path: image
+          persist-credentials: false
 
       - name: Check out eercheck repo for testing
         uses: actions/checkout@v4
         with:
           repository: anweshadas/eercheck
           ref: main
           path: eercheck
+          persist-credentials: false
 
       - name: Set up Python 3.11
         uses: actions/setup-python@v5

diff --git a/.github/workflows/execution-environments.yml b/.github/workflows/execution-environments.yml
@@ -32,6 +32,8 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Python 3.12
         uses: actions/setup-python@v5
@@ -44,13 +46,17 @@ jobs:
           pip install ansible-core ansible-builder ansible-navigator
 
       - name: Build ${{ matrix.name }} image
+        env:
+          NAME: ${{ matrix.name }}
         run: |
-          ansible-builder build -v 3 -t test-ee:${{ matrix.name }}
+          ansible-builder build -v 3 -t "test-ee:${NAME}"
         working-directory: ./execution-environments/${{ matrix.name }}
 
       - name: Run basic tests with ${{ matrix.name }} image
+        env:
+          NAME: ${{ matrix.name }}
         run: |
           ansible-navigator -v --mode stdout --pull-policy never \
-            --execution-environment-image test-ee:${{ matrix.name }} \
+            --execution-environment-image "test-ee:${NAME}" \
             run tests.yml
         working-directory: ./execution-environments/${{ matrix.name }}