ci: fix issues found by zizmor

Co-authored-by: Thomas Gerbet <thomas@gerbet.me>

.github/workflows/backport.yml

@@ -40,6 +40,7 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: false
 
       - name: Log current API rate limits
         env:

.github/workflows/build.yml

@@ -46,6 +46,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout

.github/workflows/check.yml

@@ -34,6 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           path: trusted
           sparse-checkout: |
             ci/github-script
@@ -73,6 +74,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout merge and target commits
         uses: ./.github/actions/checkout

.github/workflows/eval.yml

@@ -34,6 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           path: trusted
           sparse-checkout: |
             ci/supportedVersions.nix
@@ -41,6 +42,7 @@ jobs:
       - name: Check out the PR at the test merge commit
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           ref: ${{ inputs.mergedSha }}
           path: untrusted
           sparse-checkout: |
@@ -84,6 +86,7 @@ jobs:
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Check out the PR at merged and target commits
         uses: ./.github/actions/checkout
@@ -155,6 +158,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Check out the PR at the target commit
         uses: ./.github/actions/checkout
@@ -181,8 +185,9 @@ jobs:
       - name: Compare against the target branch
         env:
           AUTHOR_ID: ${{ github.event.pull_request.user.id }}
+          TARGET_SHA: ${{ inputs.mergedSha }}
         run: |
-          git -C nixpkgs/trusted diff --name-only ${{ inputs.mergedSha }} \
+          git -C nixpkgs/trusted diff --name-only "$TARGET_SHA" \
             | jq --raw-input --slurp 'split("\n")[:-1]' > touched-files.json
 
           # Use the target branch to get accurate maintainer info
@@ -318,6 +323,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout

.github/workflows/labels.yml

@@ -46,6 +46,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: |
             ci/github-script
 

.github/workflows/lint.yml

@@ -26,6 +26,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout
@@ -60,6 +61,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout the merge commit
         uses: ./.github/actions/checkout
@@ -87,6 +89,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: .github/actions
       - name: Checkout merge and target commits
         uses: ./.github/actions/checkout

.github/workflows/merge-group.yml

@@ -24,6 +24,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout: |
             ci/supportedSystems.json
 

.github/workflows/periodic-merge-24h.yml

@@ -43,4 +43,5 @@ jobs:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
     name: ${{ matrix.pairs.name || format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}

.github/workflows/periodic-merge-6h.yml

@@ -42,4 +42,5 @@ jobs:
       from: ${{ matrix.pairs.from }}
       into: ${{ matrix.pairs.into }}
     name: ${{ format('{0} → {1}', matrix.pairs.from, matrix.pairs.into) }}
-    secrets: inherit
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY: ${{ secrets.NIXPKGS_CI_APP_PRIVATE_KEY }}

.github/workflows/periodic-merge.yml

@@ -11,6 +11,9 @@ on:
         description: Target branch to merge into.
         required: true
         type: string
+    secrets:
+      NIXPKGS_CI_APP_PRIVATE_KEY:
+        required: true
 
 defaults:
   run:
@@ -32,6 +35,8 @@ jobs:
           permission-pull-requests: write
 
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - name: Find merge base between two branches
         if: contains(inputs.from, ' ')

.github/workflows/pr.yml

@@ -34,6 +34,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity
           sparse-checkout: |
             ci/github-script

.github/workflows/reviewers.yml

@@ -29,6 +29,7 @@ jobs:
       - name: Check out the PR at the base commit
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           path: trusted
           sparse-checkout: ci
 
@@ -146,6 +147,7 @@ jobs:
         if: ${{ steps.app-token.outputs.token }}
         env:
           GH_TOKEN: ${{ github.token }}
+          APP_GH_TOKEN: ${{ steps.app-token.outputs.token }}
           REPOSITORY: ${{ github.repository }}
           NUMBER: ${{ github.event.number }}
           AUTHOR: ${{ github.event.pull_request.user.login }}
@@ -156,7 +158,7 @@ jobs:
           # There appears to be no API to request reviews based on GitHub IDs
           jq -r 'keys[]' comparison/maintainers.json \
             | while read -r id; do gh api /user/"$id" --jq .login; done \
-            | GH_TOKEN=${{ steps.app-token.outputs.token }} result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
+            | GH_TOKEN="$APP_GH_TOKEN" result/bin/request-reviewers.sh "$REPOSITORY" "$NUMBER" "$AUTHOR"
 
       - name: Log current API rate limits (app-token)
         if: ${{ steps.app-token.outputs.token }}

.github/workflows/test.yml

@@ -21,6 +21,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
+          persist-credentials: false
           sparse-checkout-cone-mode: true # default, for clarity
           sparse-checkout: |
             ci/github-script