Merge pull request #7 from javiermolinar/fix-zizmor-issues

fix zizmor issues

Author: MirrexOne

.github/workflows/build.yml

@@ -18,6 +18,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@v6
       with:
         go-version: ${{ matrix.go-version }}

.github/workflows/lint.yml

@@ -13,6 +13,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@v6
       with:
         go-version: stable

.github/workflows/publish-goland-plugin.yml

@@ -32,19 +32,23 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Validate version format
         run: |
-          if [[ "${{ github.ref }}" == refs/tags/goland-v* ]]; then
+          if [[ "${GITHUB_REF}" == refs/tags/goland-v* ]]; then
             VERSION="${GITHUB_REF#refs/tags/goland-v}"
           else
-            VERSION="${{ github.event.inputs.version }}"
+            VERSION="${GITHUB_EVENT_INPUTS_VERSION}"
           fi
           if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9]+)?$ ]]; then
             echo "::error::Invalid version format: $VERSION (expected: X.Y.Z or X.Y.Z-suffix)"
             exit 1
           fi
           echo "PLUGIN_VERSION=$VERSION" >> $GITHUB_ENV
+        env:
+          GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }}
 
       - name: Setup Java
         uses: actions/setup-java@v4
@@ -56,12 +60,13 @@ jobs:
         uses: gradle/actions/setup-gradle@v3
         with:
           cache-read-only: ${{ github.ref != 'refs/heads/main' }}
+          cache-disabled: true
 
       - name: Update plugin version
         working-directory: ${{ env.PLUGIN_DIR }}
         run: |
-          sed -i "s/^version = \".*\"/version = \"${{ env.PLUGIN_VERSION }}\"/" build.gradle.kts
-          echo "Updated version to ${{ env.PLUGIN_VERSION }}"
+          sed -i "s/^version = \".*\"/version = \"${PLUGIN_VERSION}\"/" build.gradle.kts
+          echo "Updated version to ${PLUGIN_VERSION}"
           grep "^version" build.gradle.kts
 
       - name: Build Plugin
@@ -76,8 +81,9 @@ jobs:
         working-directory: ${{ env.PLUGIN_DIR }}
         env:
           PUBLISH_TOKEN: ${{ secrets.JETBRAINS_PUBLISH_TOKEN }}
+          GITHUB_EVENT_INPUTS_CHANNEL: ${{ github.event.inputs.channel || 'default' }}
         run: |
-          CHANNEL="${{ github.event.inputs.channel || 'default' }}"
+          CHANNEL="${GITHUB_EVENT_INPUTS_CHANNEL}"
           echo "Publishing to channel: $CHANNEL"
           ./gradlew publishPlugin -PpluginChannel="$CHANNEL"
 

.github/workflows/release-lsp.yml

@@ -21,28 +21,35 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
           go-version: '1.21'
-          cache: true
+          cache: false
 
       - name: Get version
         id: version
         run: |
           if [ "${{ github.event_name }}" = "release" ]; then
-            VERSION="${{ github.event.release.tag_name }}"
+            VERSION="${GITHUB_EVENT_RELEASE_TAG_NAME}"
           else
-            VERSION="${{ github.event.inputs.version }}"
+            VERSION="${GITHUB_EVENT_INPUTS_VERSION}"
           fi
           echo "version=$VERSION" >> $GITHUB_OUTPUT
           echo "Building version: $VERSION"
+        env:
+          GITHUB_EVENT_RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+          GITHUB_EVENT_INPUTS_VERSION: ${{ github.event.inputs.version }}
 
       - name: Build binaries for all platforms
         run: |
           chmod +x scripts/build-lsp.sh
-          ./scripts/build-lsp.sh ${{ steps.version.outputs.version }} dist
+          ./scripts/build-lsp.sh ${STEPS_VERSION_OUTPUTS_VERSION} dist
+        env:
+          STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
 
       - name: Generate checksums
         run: |

.github/workflows/sync-plugin-version.yml

@@ -16,6 +16,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Extract version from main release tag
         run: |
@@ -32,12 +34,14 @@ jobs:
 
       - name: Setup Gradle
         uses: gradle/actions/setup-gradle@v3
+        with:
+          cache-disabled: true
 
       - name: Update plugin version
         working-directory: extensions/goland
         run: |
-          sed -i "s/^version = \".*\"/version = \"${{ env.PLUGIN_VERSION }}\"/" build.gradle.kts
-          echo "Updated GoLand plugin version to ${{ env.PLUGIN_VERSION }}"
+          sed -i "s/^version = \".*\"/version = \"${PLUGIN_VERSION}\"/" build.gradle.kts
+          echo "Updated GoLand plugin version to ${PLUGIN_VERSION}"
           grep "^version" build.gradle.kts
 
       - name: Build Plugin

.github/workflows/test.yml

@@ -16,6 +16,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@v5
+      with:
+        persist-credentials: false
     - uses: actions/setup-go@v6
       with:
         go-version: ${{ matrix.go-version }}

action.yml

@@ -46,11 +46,13 @@ runs:
     - name: Install unqueryvet
       shell: bash
       run: |
-        if [ "${{ inputs.version }}" = "latest" ]; then
+        if [ "${INPUTS_VERSION}" = "latest" ]; then
           go install github.com/MirrexOne/unqueryvet/cmd/unqueryvet@latest
         else
-          go install github.com/MirrexOne/unqueryvet/cmd/unqueryvet@${{ inputs.version }}
+          go install github.com/MirrexOne/unqueryvet/cmd/unqueryvet@${INPUTS_VERSION}
         fi
+      env:
+        INPUTS_VERSION: ${{ inputs.version }}
 
     - name: Run unqueryvet
       id: run
@@ -59,13 +61,13 @@ runs:
       run: |
         set +e
 
-        ARGS="${{ inputs.args }}"
+        ARGS="${INPUTS_ARGS}"
 
-        if [ "${{ inputs.check-n1 }}" = "true" ]; then
+        if [ "${INPUTS_CHECK_N1}" = "true" ]; then
           ARGS="-n1 $ARGS"
         fi
 
-        if [ "${{ inputs.check-sqli }}" = "true" ]; then
+        if [ "${INPUTS_CHECK_SQLI}" = "true" ]; then
           ARGS="-sqli $ARGS"
         fi
 
@@ -80,7 +82,7 @@ runs:
         echo "issues=$ISSUES" >> $GITHUB_OUTPUT
         echo "exit_code=$EXIT_CODE" >> $GITHUB_OUTPUT
 
-        if [ "${{ inputs.fail-on-issues }}" = "true" ] && [ $EXIT_CODE -ne 0 ]; then
+        if [ "${INPUTS_FAIL_ON_ISSUES}" = "true" ] && [ $EXIT_CODE -ne 0 ]; then
           echo "::error::Unqueryvet found $ISSUES issues"
           exit 1
         fi
@@ -90,3 +92,8 @@ runs:
         else
           echo "::warning::Found $ISSUES SELECT * issues"
         fi
+      env:
+        INPUTS_ARGS: ${{ inputs.args }}
+        INPUTS_CHECK_N1: ${{ inputs.check-n1 }}
+        INPUTS_CHECK_SQLI: ${{ inputs.check-sqli }}
+        INPUTS_FAIL_ON_ISSUES: ${{ inputs.fail-on-issues }}