Address zizmor GitHub Actions findings

nscuro · nscuro · commit bbf22de7350b · 2026-03-27T11:09:49.000+01:00
Fixes findings identified by zizmor (https://github.com/zizmorcore/zizmor) Signed-off-by: nscuro <nscuro@protonmail.com>
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -4,8 +4,12 @@ updates:
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "daily"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -22,6 +22,7 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
       with:
+        persist-credentials: false
         # We must fetch at least the immediate parents so that if this is
         # a pull request then we can checkout the head.
         fetch-depth: 2
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -17,6 +17,8 @@ jobs:
     timeout-minutes: 30
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+        with:
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
         with:
diff --git a/.github/workflows/maven.yml b/.github/workflows/maven.yml
@@ -21,6 +21,8 @@ jobs:
     steps:
     - name: Checkout Repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up JDK ${{ matrix.java-version }}
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
       with:
diff --git a/.github/workflows/pr-test-coverage.yml b/.github/workflows/pr-test-coverage.yml
@@ -24,9 +24,12 @@ jobs:
         github-token: ${{ secrets.GITHUB_TOKEN }}
         run-id: ${{ github.event.workflow_run.id }}
     - name: Report Coverage to Codacy
+      env:
+        CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
+        COMMIT_SHA: ${{ github.event.workflow_run.head_sha }}
       run: |-
         bash <(curl -Ls https://coverage.codacy.com/get.sh) report \
-          --project-token ${{ secrets.CODACY_PROJECT_TOKEN }} \
-          --commit-uuid ${{ github.event.workflow_run.head_sha }} \
+          --project-token "${CODACY_PROJECT_TOKEN}" \
+          --commit-uuid "${COMMIT_SHA}" \
           --coverage-reports ./jacoco.xml \
           --language Java
diff --git a/.github/workflows/publish-snapshot.yml b/.github/workflows/publish-snapshot.yml
@@ -6,14 +6,15 @@ permissions: {}
 
 jobs:
   build:
-
     runs-on: ubuntu-latest
 
     permissions:
       contents: write  # for git-push after version modifications
 
     steps:
     - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag=v6.0.2
+      with:
+        persist-credentials: false
     - name: Set up JDK
       uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # tag=v5.2.0
       with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -40,24 +40,18 @@ jobs:
           git config --global user.email "info@cyclonedx.org"
           git config --global user.name "CycloneDX Automation"
 
-      - name: Set Maven options
-        id: maven_options
-        run: |
-          # Set the Maven options based on the 'dry_run' input
-          if ${{ github.event.inputs.dry_run }}; then
-            echo "options=release:prepare -DdryRun=true" >> $GITHUB_ENV
-          else
-            echo "options=release:clean release:prepare release:perform" >> $GITHUB_ENV
-          fi
-
       - name: Run Maven command
-        run: |
-          mvn -B ${{ env.options }}
         env:
+          DRY_RUN: ${{ github.event.inputs.dry_run }}
           MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
           MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
           MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |-
+          if [ "$DRY_RUN" = "true" ]; then
+            mvn -B release:prepare -DdryRun=true
+          else
+            mvn -B release:clean release:prepare release:perform
+          fi
         continue-on-error: ${{ github.event.inputs.dry_run == false }}
 
       - name: Rollback if release fails
@@ -69,4 +63,3 @@ jobs:
           MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
           MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
           MAVEN_GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
