search

sigstore / sigstore-go

Go library for Sigstore signing and verification
Apache License 2.0
49 stars 26 forks source link

ci: address zizmor's findings #336

Closed woodruffw closed 1 week ago

woodruffw commented 1 week ago

This addresses a bunch of low-impact findings from zizmor, all of which are disabling unneeded credential persistence or moving permissions: stanzas into their dependent jobs.

NB: This changeset doesn't include a new workflow for zizmor, but if folks are interested this one should be drag-n-drop 🙂

Afterwards:

$ zizmor .
🌈 completed codeql.yml
🌈 completed golangci-lint.yml
🌈 completed verify_license.yml
🌈 completed depsreview.yml
🌈 completed build.yml
🌈 completed scorecard.yml
🌈 completed conformance.yml
No findings to report. Good job!