ensure all yaml string values are quoted

Author: ChrisGe4

.github/workflows/actionlint.yml

@@ -4,20 +4,20 @@ on:
   workflow_dispatch:
 
 permissions:
-  contents: read
-  pull-requests: write
+  contents: 'read'
+  pull-requests: 'write'
 
 concurrency:
-  group: actionlint-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
-  cancel-in-progress: true
+  group: 'actionlint-${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}'
+  cancel-in-progress: 'true'
 
 jobs:
   lint:
-    runs-on: ubuntu-latest
+    runs-on: 'ubuntu-latest'
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+      - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
       - name: 'Run actionlint with reviewdog'
-        uses: reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d # ratchet:reviewdog/action-actionlint@v1.72.0
+        uses: 'reviewdog/action-actionlint@6fb7acc99f4a1008869fa8a0f09cfca740837d9d' # ratchet:reviewdog/action-actionlint@v1.72.0
         with:
           fail_on_error: true
           reporter: 'github-pr-check'

.github/workflows/centralized-stale.yml

@@ -9,9 +9,9 @@ on:
 jobs:
   # Stage 1: Query the organization for all active repositories
   fetch-repositories:
-    runs-on: ubuntu-latest
+    runs-on: 'ubuntu-latest'
     outputs:
-      matrix: ${{ steps.set-matrix.outputs.repos }}
+      matrix: '${{ steps.set-matrix.outputs.repos }}'
     steps:
       - id: 'auth-minty'
         name: 'Authenticate to Google Cloud'
@@ -40,7 +40,7 @@ jobs:
       - name: 'List active repositories'
         id: set-matrix
         env:
-          GH_TOKEN: ${{ steps.mint-github-token.outputs.token }}
+          GH_TOKEN: '${{ steps.mint-github-token.outputs.token }}'
         run: |
           # Query GitHub API for active, public, non-forked repositories and force single-line JSON to prevent GITHUB_OUTPUT truncation
           REPOS=$(gh api --paginate /orgs/google-github-actions/repos -q '[.[] | select(.archived == false and .private == false and .fork == false) | .name]' | jq -c .)
@@ -49,11 +49,11 @@ jobs:
   # Stage 2: Fan out official actions/stale across all discovered repositories
   apply-stale-rules:
     needs: fetch-repositories
-    runs-on: ubuntu-latest
+    runs-on: 'ubuntu-latest'
     strategy:
       fail-fast: false
       matrix:
-        repo: ${{ fromJson(needs.fetch-repositories.outputs.matrix) }}
+        repo: '${{ fromJson(needs.fetch-repositories.outputs.matrix) }}'
 
     steps:
       - id: 'auth-minty'
@@ -81,11 +81,11 @@ jobs:
             }
 
       - name: 'Run official stale bot'
-        uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f # ratchet:actions/stale@v10.2.0
+        uses: 'actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f' # ratchet:actions/stale@v10.2.0
         env:
           GITHUB_REPOSITORY: 'google-github-actions/${{ matrix.repo }}'
         with:
-          repo-token: ${{ steps.mint-github-token.outputs.token }}
+          repo-token: '${{ steps.mint-github-token.outputs.token }}'
           operations-per-run: 300 # Increased burndown limit for first execution
 
           # Issue configuration (60 days total: 53 inactive + 7 warning)

.github/workflows/scorecard.yml

@@ -3,29 +3,29 @@ on:
   pull_request:
   workflow_dispatch:
 
-permissions: read-all
+permissions: 'read-all'
 
 jobs:
   analyze:
-    runs-on: ubuntu-latest
+    runs-on: 'ubuntu-latest'
     permissions:
-      contents: read
-      security-events: write
-      id-token: write
+      contents: 'read'
+      security-events: 'write'
+      id-token: 'write'
     timeout-minutes: 20
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # ratchet:actions/checkout@v6
+    - uses: 'actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd' # ratchet:actions/checkout@v6
       with:
         # Checkout the base repository ref, not the PR's head commit
-        ref: ${{ github.event.pull_request.base.sha }}
+        ref: '${{ github.event.pull_request.base.sha }}'
         persist-credentials: false
     - name: 'Run Scorecard'
-      uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # ratchet:ossf/scorecard-action@v2.4.3
+      uses: 'ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a' # ratchet:ossf/scorecard-action@v2.4.3
       with:
         results_file: 'results.sarif'
         results_format: 'sarif'
         publish_results: false
     - name: 'Upload to GitHub Security Tab'
-      uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # ratchet:github/codeql-action/upload-sarif@v4.35.1
+      uses: 'github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13' # ratchet:github/codeql-action/upload-sarif@v4.35.1
       with:
         sarif_file: 'results.sarif'