ci: fix zizmor audit findings

MarshallOfSound · MarshallOfSound · commit a4fa66786ecc · 2026-04-02T19:58:48.000Z
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,7 +7,7 @@ on:
       - .github/workflows/build.yml
 
 permissions:
-  contents: write
+  contents: read
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -24,6 +24,8 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
+        with:
+          persist-credentials: false
       - name: Install Packages
         run: |
           sudo apt update
@@ -56,6 +58,8 @@ jobs:
     steps:
       - name: Checkout Repository
         uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: python3 -m pip install --upgrade requests
       - name: Download Bullseye Sysroot Artifacts
diff --git a/.github/workflows/upstream-sysroot.yml b/.github/workflows/upstream-sysroot.yml
@@ -27,37 +27,43 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
     - name: Fetch Current SHA
       shell: bash
       run: |
-        if [ -n "${{ github.event.inputs.current-sha }}" ]; then
-          CURRENT_SHA="${{ github.event.inputs.current-sha }}"
+        if [ -n "${GITHUB_EVENT_INPUTS_CURRENT_SHA}" ]; then
+          CURRENT_SHA="${GITHUB_EVENT_INPUTS_CURRENT_SHA}"
         elif [ -f current-sha.json ]; then
           CURRENT_SHA=$(jq -r '.sha' current-sha.json)
         else
           echo "No current SHA provided and current-sha.json not found."
           exit 1
         fi
         echo "CURRENT_SHA=${CURRENT_SHA}" >> $GITHUB_ENV
+      env:
+        GITHUB_EVENT_INPUTS_CURRENT_SHA: ${{ github.event.inputs.current-sha }}
     - name: Fetch latest upstream SHA
       shell: bash
       run: |
-        if [ -n "${{ github.event.inputs.upstream-sha }}" ]; then
-          UPSTREAM_SHA="${{ github.event.inputs.upstream-sha }}"
+        if [ -n "${GITHUB_EVENT_INPUTS_UPSTREAM_SHA}" ]; then
+          UPSTREAM_SHA="${GITHUB_EVENT_INPUTS_UPSTREAM_SHA}"
         else
           UPSTREAM_SHA=$(gh api -X GET repos/chromium/chromium/commits -f path="build/linux/sysroot_scripts" -f per_page=1 --jq '.[0].sha')
         fi
         echo "UPSTREAM_SHA=${UPSTREAM_SHA}" >> $GITHUB_ENV
+      env:
+        GITHUB_EVENT_INPUTS_UPSTREAM_SHA: ${{ github.event.inputs.upstream-sha }}
     - name: Compare current SHA with upstream SHA
       shell: bash
       run: |
-        if [ "${{ env.CURRENT_SHA }}" == "${{ env.UPSTREAM_SHA }}" ]; then
+        if [ "${CURRENT_SHA}" == "${UPSTREAM_SHA}" ]; then
           echo "No changes found - sysroot scripts are up to date!"
         else
           gh api -X GET repos/chromium/chromium/commits -f path="build/linux/sysroot_scripts" -f per_page=20 > commits.json
 
           COMMITS=$(
-            jq -r --arg base_sha "${{ env.CURRENT_SHA }}" '
+            jq -r --arg base_sha "${CURRENT_SHA}" '
               ([.[].sha] | index($base_sha) // length) as $idx |
               .[0:$idx] | .[] | 
               "- [`\(.sha[0:7])`](\(.html_url)) \(.commit.message | split("\n")[0])"
