fix: address all zizmor security findings in GitHub Actions workflows

Copilot · jkowalleck · web-flow · commit 5b2cb0ba371d · 2026-04-25T11:12:00.000Z
Agent-Logs-Url: https://github.com/CycloneDX/cyclonedx-python-lib/sessions/d81c6415-5af8-4064-9ff0-dbcbaa56a382 Co-authored-by: jkowalleck <2765863+jkowalleck@users.noreply.github.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -7,6 +7,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     allow:
       - dependency-type: 'all'
     versioning-strategy: 'auto'
@@ -21,6 +23,8 @@ updates:
     schedule:
       interval: 'weekly'
       day: 'saturday'
+    cooldown:
+      default-days: 7
     labels: [ 'dependencies' ]
     commit-message:
       ## prefix maximum string length of 15
diff --git a/.github/workflows/python.yml b/.github/workflows/python.yml
@@ -34,6 +34,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -58,6 +60,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -82,6 +86,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -106,6 +112,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -142,6 +150,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -192,6 +202,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Create reports directory
         run: mkdir ${{ env.REPORTS_DIR }}
       - name: Setup Python Environment
@@ -270,6 +282,8 @@ jobs:
       - name: Checkout
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -49,6 +49,8 @@ jobs:
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -71,6 +73,8 @@ jobs:
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Setup Python Environment
         # see https://github.com/actions/setup-python
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
@@ -113,17 +117,19 @@ jobs:
           private-key: ${{ secrets.CDX_RELEASE_BOT_PRIVATE_KEY }}
       - name: Get GitHub App User ID
         id: release-bot-user-id
-        run: |
-          set -xeu
-          echo "user-id=$(gh api "/users/${{ steps.release-bot-token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
         env:
+          APP_SLUG: ${{ steps.release-bot-token.outputs.app-slug }}
           GH_TOKEN: ${{ steps.release-bot-token.outputs.token }}
+        run: |
+          set -xeu
+          echo "user-id=$(gh api "/users/${APP_SLUG}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
 
       - name: Checkout code
         # see https://github.com/actions/checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
           token: ${{ steps.release-bot-token.outputs.token }}
 
       - name: Setup python
