Skip to content

Commit 2298677

Browse files
committed
ci: fix zizmor issues
1 parent b376cf2 commit 2298677

6 files changed

Lines changed: 15 additions & 11 deletions

File tree

.github/workflows/benchmark.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -15,8 +15,8 @@ jobs:
1515
if: github.repository == 'developmentseed/titiler'
1616
runs-on: ubuntu-latest
1717
permissions:
18-
contents: write
19-
pull-requests: write
18+
contents: write # Push benchmark results to gh-benchmarks branch
19+
pull-requests: write # Leave PR comments when benchmark regressions exceed alert threshold
2020

2121
steps:
2222
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/ci.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -94,7 +94,7 @@ jobs:
9494
runs-on: ubuntu-latest
9595
permissions:
9696
contents: read
97-
packages: write
97+
packages: write # Push multi-arch images to ghcr.io for this repository
9898
strategy:
9999
matrix:
100100
include:

.github/workflows/deploy.yml

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ jobs:
1414
run:
1515
working-directory: deployment/aws
1616
permissions:
17-
id-token: write
17+
id-token: write # AWS OIDC: exchange JWT for temporary credentials in configure-aws-credentials
1818
contents: read
1919
steps:
2020
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -47,8 +47,10 @@ jobs:
4747

4848
# Build and Deploy CDK application
4949
- name: Build & Deploy
50-
run: uv run cdk deploy ${{ secrets.STACK_NAME }}-lambda-${{ secrets.STACK_STAGE }} --require-approval never
50+
run: uv run cdk deploy "${STACK_NAME}-lambda-${STACK_STAGE}" --require-approval never
5151
env:
52+
STACK_NAME: ${{ secrets.STACK_NAME }}
53+
STACK_STAGE: ${{ secrets.STACK_STAGE }}
5254
TITILER_STACK_NAME: ${{ secrets.STACK_NAME }}
5355
TITILER_STACK_STAGE: ${{ secrets.STACK_STAGE }}
5456
TITILER_STACK_MEMORY: ${{ secrets.STACK_MEMORY }}

.github/workflows/deploy_mkdocs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -19,7 +19,7 @@ jobs:
1919
runs-on: ubuntu-latest
2020
environment: github-pages
2121
permissions:
22-
contents: write
22+
contents: write # mkdocs gh-deploy pushes the built site to gh-pages
2323
steps:
2424
- name: Checkout main
2525
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

.github/workflows/release.yml

Lines changed: 6 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -44,9 +44,12 @@ jobs:
4444
echo "version=$(uv version --short)" >> $GITHUB_OUTPUT
4545
4646
- name: Check version match
47+
env:
48+
TAG_VERSION: ${{ steps.tag.outputs.version }}
49+
MODULE_VERSION: ${{ steps.module.outputs.version }}
4750
run: |
48-
if [ "${{ steps.tag.outputs.version }}" != "${{ steps.module.outputs.version }}" ]; then
49-
echo "Tag version (${{ steps.tag.outputs.version }}) does not match module version (${{ steps.module.outputs.version }})"
51+
if [ "$TAG_VERSION" != "$MODULE_VERSION" ]; then
52+
echo "Tag version ($TAG_VERSION) does not match module version ($MODULE_VERSION)"
5053
exit 1
5154
fi
5255
@@ -66,7 +69,7 @@ jobs:
6669
name: pypi-release
6770
permissions:
6871
contents: read
69-
id-token: write
72+
id-token: write # OIDC token for PyPI trusted publishing (pypa/gh-action-pypi-publish)
7073
steps:
7174
- uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
7275
with:

.github/workflows/zizmor.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,8 +21,7 @@ jobs:
2121
name: Run zizmor
2222
runs-on: ubuntu-latest
2323
permissions:
24-
# Required for upload-sarif (used by zizmor-action) to upload SARIF files.
25-
security-events: write
24+
security-events: write # Upload zizmor SARIF to GitHub Code Scanning
2625
contents: read
2726
steps:
2827
- name: Checkout repository

0 commit comments

Comments
 (0)