cleanup remaining zizmor errors

Author: bckohan

.github/workflows/scorecard.yml

@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
         with:
           results_file: results.sarif
           results_format: sarif
@@ -47,7 +47,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: SARIF file
           path: results.sarif
@@ -56,6 +56,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e
         with:
           sarif_file: results.sarif

.github/workflows/test.yml

@@ -62,9 +62,6 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         persist-credentials: false
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
-      with:
-        node-version: 22
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       id: sp
@@ -142,9 +139,6 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         persist-credentials: false
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
-      with:
-        node-version: 22
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       id: sp
@@ -225,9 +219,6 @@ jobs:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
       with:
         persist-credentials: false
-    - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f
-      with:
-        node-version: 22
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405
       id: sp

.github/workflows/update_coc.yml

@@ -21,6 +21,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        with:
+          persist-credentials: false
 
       - name: Fetch CODE_OF_CONDUCT.md from django-commons
         run: |

.github/workflows/zizmor.yml

@@ -40,25 +40,25 @@ jobs:
 
       - name: Run Zizmor analysis
         run: |
-          zizmor --format sarif .github/workflows/ > results.sarif
+          zizmor --format sarif .github/workflows/ > zizmor.sarif
 
       - name: Upload analysis results
         uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f
         with:
           name: zizmor-results
-          path: results.sarif
+          path: zizmor.sarif
           retention-days: 7
 
       - name: Upload to code-scanning
         uses: github/codeql-action/upload-sarif@89a39a4e59826350b863aa6b6252a07ad50cf83e
         with:
-          sarif_file: results.sarif
+          sarif_file: zizmor.sarif
 
       - name: Fail on Findings
         run: |
           count="$(
             jq '([.runs[]? | (.results // [])[] | select(.level != "note")] | length) // 0' \
-              results.sarif
+              zizmor.sarif
           )"
           echo "Zizmor findings: $count"
           test "$count" -eq 0

.gitignore

@@ -159,3 +159,4 @@ cython_debug/
 /render_static/tests/examples/static
 requirements.txt
 uv.lock
+zizmor.sarif