Security scanning zizmor (infra)

.github/workflows/black.yml

@@ -12,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: psf/black@stable
         with:
           options: "--check --diff --line-length 79 --extend-exclude '/vendor/'"

.github/workflows/checkbox-beta-release.yml

@@ -25,6 +25,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Verify Promotion Conditions
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -43,6 +44,8 @@ jobs:
           sudo apt install -qq -y python3-launchpadlib
       - name: Checkout checkbox monorepo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Copy deb packages from edge to beta ppa
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/checkbox-ce-oem-daily-build.yml

@@ -22,6 +22,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Check for commits
         id: commit_check
         env:

.github/workflows/checkbox-ce-oem-edge-builds.yml

@@ -32,6 +32,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Add LP credentials
         run: |
           mkdir -p ~/.local/share/snapcraft/provider/launchpad/

.github/workflows/checkbox-core-snap-daily-builds.yml

@@ -41,6 +41,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Copy over the common files for series ${{ matrix.releases }}
         run: |
           cd checkbox-core-snap/

.github/workflows/checkbox-promote-beta-to-candidate.yml

@@ -58,6 +58,8 @@ jobs:
     steps:
     - name: Checkout checkbox monorepo
       uses: actions/checkout@v4
+      with:
+          persist-credentials: false
 
     - name: Create job file (by instantiating template)
       id: create-job

.github/workflows/checkbox-snap-daily-builds.yml

@@ -40,6 +40,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Copy over the common files for series ${{ matrix.type }}${{ matrix.releases }}
         run: |
           cd checkbox-snap/

.github/workflows/checkbox-stable-release.yml

@@ -23,6 +23,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install dependencies
         run: |
           which curl || (sudo apt update && sudo apt install curl -y)
@@ -56,6 +57,8 @@ jobs:
           sudo apt install -qq -y python3-launchpadlib
       - name: Checkout checkbox monorepo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Copy deb packages from testing to stable ppa
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/checkbox-tics.yml

@@ -4,7 +4,7 @@ on:
   schedule:
     - cron: '00 19 * * *'
   workflow_dispatch:
- 
+
 permissions:
   contents: read
 
@@ -14,6 +14,8 @@ jobs:
     environment: TICS
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install dependencies
         run: |

.github/workflows/daily-builds.yml

@@ -22,6 +22,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Check for commits
         id: commit_check
         env:

.github/workflows/deb-daily-builds.yml

@@ -25,6 +25,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: Wandalen/wretry.action/main@v3.4.0_js_action
         name: Make LP pull the monorepo
         env:
@@ -69,6 +70,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: Wandalen/wretry.action/main@v3.4.0_js_action
         name: Update the recipe in the checkbox PPA
         env:

.github/workflows/deb-sanity-builds.yml

@@ -19,6 +19,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: Wandalen/wretry.action/main@v3.4.0_js_action
         name: Make LP pull the monorepo
         env:
@@ -48,6 +49,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - uses: Wandalen/wretry.action/main@v3.4.0_js_action
         name: Update the recipe in the checkbox PPA
         env:

.github/workflows/deb_validator.yaml

@@ -54,6 +54,8 @@ jobs:
     steps:
       - name: Checkout Checkbox monorepo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # needed by providers that pull checkbox-support
       - name: Install PPA and dependencies
         run: |

.github/workflows/dispatch_lab_job.yaml

@@ -35,6 +35,8 @@ jobs:
 
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Get current commit SHA
         id: get_sha

.github/workflows/documentation-check.yml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install Aspell
         run: |
@@ -57,6 +59,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: woke
         uses: get-woke/woke-action@v0
@@ -82,6 +86,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install the doc framework
         working-directory: docs/

.github/workflows/metabox.yaml

@@ -16,6 +16,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Use git diff to see if there are any changes in the metabox and checkbox-ng directories
         id: check_diff
         run: |
@@ -51,6 +52,8 @@ jobs:
     steps:
       - name: Checkout Checkbox monorepo
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup LXD
         uses: canonical/setup-lxd@main
       - name: Add ZFS storage

.github/workflows/pr_validation.yaml

@@ -32,6 +32,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install dependencies, Checkbox and providers
         run: |
           sudo apt install -y -qq python3 python3-venv jq libsystemd-dev

.github/workflows/snapcraft8_builds.yaml

@@ -41,6 +41,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Copy over the common files for series ${{ matrix.releases }}
         run: |
           cd checkbox-core-snap/
@@ -126,6 +127,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Copy over the common files for series ${{ matrix.type }}${{ matrix.releases }}
         run: |
           cd checkbox-snap/
@@ -201,6 +203,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Add LP credentials
         run: |
           mkdir -p ~/.local/share/snapcraft/
@@ -275,6 +278,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Add LP credentials
         run: |
           mkdir -p ~/.local/share/snapcraft/

.github/workflows/testflinger-contrib-dss-regression.yaml

@@ -40,6 +40,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Build job file from template
         run: |
           sed -e "s|REPLACE_BRANCH|${BRANCH}|" \

.github/workflows/tox-checkbox-ng.yaml

@@ -32,6 +32,8 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED
       # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking
       # first that we can "curl" the hosts, since they will fail in case of
@@ -52,7 +54,7 @@ jobs:
       - name: Run tox
         run: tox -e${{ matrix.tox_env_name }}
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: checkbox-ng

.github/workflows/tox-checkbox-support.yaml

@@ -32,6 +32,8 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED
       # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking
       # first that we can "curl" the hosts, since they will fail in case of
@@ -56,7 +58,7 @@ jobs:
       - name: Run tox
         run: tox -e${{ matrix.tox_env_name }}
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: checkbox-support

.github/workflows/tox-contrib-pc-sanity.yaml

@@ -25,6 +25,8 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Setup Python
         uses: actions/setup-python@v4
         with:
@@ -34,7 +36,7 @@ jobs:
       - name: Run tox
         run: tox -e${{ matrix.tox_env_name }}
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: pc-sanity

.github/workflows/tox-contrib-provider-ce-oem.yaml

@@ -32,6 +32,8 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED
       # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking
       # first that we can "curl" the hosts, since they will fail in case of
@@ -56,7 +58,7 @@ jobs:
       - name: Run tox
         run: tox -e${{ matrix.tox_env_name }}
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: contrib-provider-ce-oem

.github/workflows/tox-provider-base.yaml

@@ -32,6 +32,8 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED
       # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking
       # first that we can "curl" the hosts, since they will fail in case of
@@ -56,7 +58,7 @@ jobs:
       - name: Run tox
         run: tox -e${{ matrix.tox_env_name }}
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: provider-base

.github/workflows/tox-provider-certification-client.yaml

@@ -32,11 +32,12 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED
       # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking
       # first that we can "curl" the hosts, since they will fail in case of
       # expired/invalid/self-signed certificate.
-
       - name: Workaround SSL Certificates manual verification for Python
         run: |
           curl --fail --silent --show-error https://pypi.python.org
@@ -53,7 +54,7 @@ jobs:
       - name: Run tox
         run: tox -e${{ matrix.tox_env_name }}
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: provider-certification-client

.github/workflows/tox-provider-certification-server.yaml

@@ -32,6 +32,8 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED
       # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking
       # first that we can "curl" the hosts, since they will fail in case of
@@ -52,7 +54,7 @@ jobs:
       - name: Run tox
         run: tox -e${{ matrix.tox_env_name }}
       - name: Upload coverage reports to Codecov
-        uses: codecov/codecov-action@v3
+        uses: codecov/codecov-action@v5
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           flags: provider-certification-server

.github/workflows/tox-provider-docker.yaml

@@ -32,6 +32,8 @@ jobs:
             tox_env_name: "py310"
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       # Python 3.5 setup was failing because of a CERTIFICATE_VERIFY_FAILED
       # error. To fix this, we have set up manually PIP_TRUSTED_HOST, checking
       # first that we can "curl" the hosts, since they will fail in case of