fix(ci): resolve zizmor security findings

skyrpex · skyrpex · commit 1d74b3a637ae · 2026-05-05T16:37:09.000+02:00
- set-version action: use GITHUB_OUTPUT instead of GITHUB_ENV to prevent
  env injection via crafted branch names
- dependabot-auto-merge: replace pull_request_target with pull_request and
  drop unnecessary checkout step
- release: move permissions from workflow level to per-job scope; lock
  workflow-level permissions to empty
diff --git a/.github/actions/set-version/action.yml b/.github/actions/set-version/action.yml
@@ -1,10 +1,16 @@
 name: 'Set Version from Branch'
-description: 'Sets VERSION environment variable from the current branch name'
+description: 'Sets VERSION output from the current branch name'
+
+outputs:
+  version:
+    description: 'The version extracted from the branch name'
+    value: ${{ steps.set-version.outputs.version }}
 
 runs:
   using: composite
   steps:
     - name: Set version from branch name
+      id: set-version
       shell: bash
       run: |
         # GITHUB_HEAD_REF contains the source branch for PRs (e.g., "v1.2.5"), but is empty for pushes
@@ -30,5 +36,5 @@ runs:
           exit 1
         fi
 
-        echo "VERSION=$VERSION" >> $GITHUB_ENV
+        echo "version=$VERSION" >> $GITHUB_OUTPUT
         echo "Using version: $VERSION (from branch: $BRANCH_NAME)"
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -1,7 +1,7 @@
 name: Auto merge Dependabot pull requests
 
 on:
-  pull_request_target:
+  pull_request:
     types:
       - labeled
       - opened
@@ -19,11 +19,6 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.user.login == 'dependabot[bot]'
     steps:
-      - name: Checkout
-        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
-        with:
-          persist-credentials: false
-
       - name: Approve
         run: gh pr review "$PR_NUMBER" --approve
         env:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,10 +5,7 @@ on:
     branches:
       - main
 
-permissions:
-  contents: write
-  issues: write
-  pull-requests: write
+permissions: {}
 
 concurrency:
   group: release
@@ -18,6 +15,8 @@ jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ -48,6 +47,10 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     needs: test
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
@@ -63,6 +66,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: release
     if: ${{ needs.release.outputs.release_created == 'true' }}
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ -98,6 +103,8 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, release]
     if: ${{ needs.release.outputs.release_created == 'true' }}
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
@@ -123,6 +130,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, release]
     if: ${{ needs.release.outputs.release_created == 'true' }}
+    permissions: {}
     steps:
       - name: Download VSIX
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
@@ -142,6 +150,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: [build, release]
     if: ${{ needs.release.outputs.release_created == 'true' }}
+    permissions: {}
     steps:
       - name: Download VSIX
         uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
