From 772a696fbb8669448ce38738a0317b761d48fcfd Mon Sep 17 00:00:00 2001
From: Samuel <samuel.oosterholt20001004@gmail.com>
Date: Wed, 12 Feb 2025 13:19:02 +0100
Subject: [PATCH 1/2] fix: zizmor alerts errors

---
 .github/workflows/docker-build.yml        |  4 ++++
 .github/workflows/docker-release.yml      |  4 ++++
 .github/workflows/lint-and-build-npm.yml  |  8 ++++++--
 .github/workflows/lint-and-build-yarn.yml | 10 +++++++---
 .github/workflows/npm-release.yml         |  6 +++++-
 5 files changed, 26 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 9181f17..849c14d 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -27,6 +27,10 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          install: true
+          use: true
+          driver-opts: network=none
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index 1c7b312..11c8bc2 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -70,6 +70,10 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
+        with:
+          install: true
+          use: true
+          driver-opts: network=none
 
       - name: Login to Registry (GitHub)
         if: ${{ inputs.github-registry == 'true' }}
diff --git a/.github/workflows/lint-and-build-npm.yml b/.github/workflows/lint-and-build-npm.yml
index 3117393..856ccfd 100644
--- a/.github/workflows/lint-and-build-npm.yml
+++ b/.github/workflows/lint-and-build-npm.yml
@@ -60,8 +60,10 @@ jobs:
         if: ${{ inputs.artifact-name != '' }}
 
       - name: Prepare
-        run: ${{ inputs.prepare-command }}
+        env:
+          PREPARE_CMD: ${{ inputs.prepare-command }}
         if: ${{ inputs.prepare-command != '' }}
+        run: bash -c "$PREPARE_CMD"
 
       - name: Set Node.js
         uses: actions/setup-node@v4
@@ -93,5 +95,7 @@ jobs:
         if: ${{ inputs.build }}
 
       - name: Cleanup
-        run: ${{ inputs.cleanup-command }}
+        env:
+          CLEANUP_CMD: ${{ inputs.cleanup-command }}
+        run: bash -c "$CLEANUP_CMD"
         if: ${{ inputs.cleanup-command != '' && always() }}
diff --git a/.github/workflows/lint-and-build-yarn.yml b/.github/workflows/lint-and-build-yarn.yml
index 09241c4..846841e 100644
--- a/.github/workflows/lint-and-build-yarn.yml
+++ b/.github/workflows/lint-and-build-yarn.yml
@@ -60,8 +60,10 @@ jobs:
         if: ${{ inputs.artifact-name != '' }}
 
       - name: Prepare
-        run: ${{ inputs.prepare-command }}
+        env:
+          PREPARE_CMD: ${{ inputs.prepare-command }}
         if: ${{ inputs.prepare-command != '' }}
+        run: bash -c "$PREPARE_CMD"
 
       - name: Set Node.js
         uses: actions/setup-node@v4
@@ -103,5 +105,7 @@ jobs:
         if: ${{ inputs.build }}
 
       - name: Cleanup
-        run: ${{ inputs.cleanup-command }}
-        if: ${{ inputs.cleanup-command != '' && always() }}
+        env:
+          CLEANUP_CMD: ${{ inputs.cleanup-command }}
+        run: bash -c "$CLEANUP_CMD"
+        if: ${{ inputs.cleanup-command != '' && always() }}
\ No newline at end of file
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
index 31d771e..a8f9260 100644
--- a/.github/workflows/npm-release.yml
+++ b/.github/workflows/npm-release.yml
@@ -74,7 +74,11 @@ jobs:
         run: npm whoami
 
       - name: Lerna Publish
-        run: npx --yes lerna version ${{ inputs.version }} --amend --yes && npx lerna publish from-git --yes
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          npx --yes lerna version "$VERSION" --amend --yes
+          npx lerna publish from-git --yes
 
       - name: Push Tags
         run: git push --force-with-lease --follow-tags

From 4dfba9f548ed67a077f7cd4b3b637c67329f0185 Mon Sep 17 00:00:00 2001
From: Samuel <samuel.oosterholt20001004@gmail.com>
Date: Wed, 12 Feb 2025 13:31:01 +0100
Subject: [PATCH 2/2] fix: zizmor warnings

---
 .github/workflows/docker-build.yml        |  6 ++----
 .github/workflows/docker-release.yml      | 11 ++++++-----
 .github/workflows/lint-and-build-npm.yml  |  2 ++
 .github/workflows/lint-and-build-yarn.yml |  2 ++
 .github/workflows/npm-release.yml         |  3 +++
 .github/workflows/self-versioning.yml     |  4 ++++
 .github/workflows/validate-workflows.yml  |  8 ++++++++
 .github/workflows/versioning.yml          |  2 ++
 8 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml
index 849c14d..0998e5c 100644
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -21,16 +21,14 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        with:
-          install: true
-          use: true
-          driver-opts: network=none
 
       - name: Build and push Docker image
         uses: docker/build-push-action@v6
diff --git a/.github/workflows/docker-release.yml b/.github/workflows/docker-release.yml
index 11c8bc2..05efb52 100644
--- a/.github/workflows/docker-release.yml
+++ b/.github/workflows/docker-release.yml
@@ -50,6 +50,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up environment
         if: ${{ inputs.env-file != '' }}
@@ -60,8 +62,11 @@ jobs:
 
       - name: Extract Image Name
         id: extract
+        env:
+          DOCKER_PATH: ${{ matrix.docker-path }}
         run: |
-          input="${{ matrix.docker-path }}"
+          # The value is now safely stored in DOCKER_PATH
+          input="$DOCKER_PATH"
           result="${input#*/}"
           echo "part=$result" >> "${GITHUB_OUTPUT}"
 
@@ -70,10 +75,6 @@ jobs:
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
-        with:
-          install: true
-          use: true
-          driver-opts: network=none
 
       - name: Login to Registry (GitHub)
         if: ${{ inputs.github-registry == 'true' }}
diff --git a/.github/workflows/lint-and-build-npm.yml b/.github/workflows/lint-and-build-npm.yml
index 856ccfd..bbf3de8 100644
--- a/.github/workflows/lint-and-build-npm.yml
+++ b/.github/workflows/lint-and-build-npm.yml
@@ -51,6 +51,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Artifact
         uses: actions/download-artifact@v4
diff --git a/.github/workflows/lint-and-build-yarn.yml b/.github/workflows/lint-and-build-yarn.yml
index 846841e..5296a68 100644
--- a/.github/workflows/lint-and-build-yarn.yml
+++ b/.github/workflows/lint-and-build-yarn.yml
@@ -51,6 +51,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Artifact
         uses: actions/download-artifact@v4
diff --git a/.github/workflows/npm-release.yml b/.github/workflows/npm-release.yml
index a8f9260..5514e89 100644
--- a/.github/workflows/npm-release.yml
+++ b/.github/workflows/npm-release.yml
@@ -31,6 +31,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@v4
@@ -56,6 +58,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: true
 
       - name: Git Config
         run: git config user.email 'github-actions@github.com' && git config user.name 'github-actions'
diff --git a/.github/workflows/self-versioning.yml b/.github/workflows/self-versioning.yml
index 1688ddc..4519f70 100644
--- a/.github/workflows/self-versioning.yml
+++ b/.github/workflows/self-versioning.yml
@@ -8,3 +8,7 @@ on:
 jobs:
   versioning:
     uses: ./.github/workflows/versioning.yml
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
\ No newline at end of file
diff --git a/.github/workflows/validate-workflows.yml b/.github/workflows/validate-workflows.yml
index 598df45..0aa5ccc 100644
--- a/.github/workflows/validate-workflows.yml
+++ b/.github/workflows/validate-workflows.yml
@@ -8,18 +8,26 @@ on:
 jobs:
   validate-workflows:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - uses: actions/setup-go@v5
         with:
           go-version: '^1.23.0'
+
       - run: go install github.com/rhysd/actionlint/cmd/actionlint@latest
+
       - run: actionlint
 
   security-analysis:
       runs-on: ubuntu-latest
       permissions:
         security-events: write
+        contents: read
       steps:
         - name: Checkout repository
           uses: actions/checkout@v4
diff --git a/.github/workflows/versioning.yml b/.github/workflows/versioning.yml
index c6c2129..0c413d9 100644
--- a/.github/workflows/versioning.yml
+++ b/.github/workflows/versioning.yml
@@ -25,6 +25,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Semantic Release
         uses: cycjimmy/semantic-release-action@v4