Chore: address more zizmor flags

2026-04-08 09:08:52 +00:00 · 2026-04-07 12:27:17 -07:00
9 changed files with 89 additions and 68 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -164,6 +164,8 @@ updates:
    directory: "/" # Location of package manifests
    schedule:
      interval: "monthly"
+    cooldown:
+      default-days: 7
    groups:
      pre-commit-dependencies:
        patterns:
--- a/.github/workflows/ci-backend.yml
+++ b/.github/workflows/ci-backend.yml
@@ -30,10 +30,13 @@ jobs:
          persist-credentials: false
      - name: Decide run mode
        id: force
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then
+          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          else
            echo "run_all=false" >> "$GITHUB_OUTPUT"
@@ -41,15 +44,22 @@ jobs:
      - name: Set diff range
        id: range
        if: steps.force.outputs.run_all != 'true'
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          EVENT_CREATED: ${{ github.event.created }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          SHA: ${{ github.sha }}
        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event.created }}" == "true" ]]; then
-            echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
+          elif [[ "${EVENT_CREATED}" == "true" ]]; then
+            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
          else
-            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
+            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
          fi
-          echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
      - name: Detect changes
        id: filter
        if: steps.force.outputs.run_all != 'true'
@@ -104,9 +114,11 @@ jobs:
        run: |
          sudo cp docker/rootfs/etc/ImageMagick-6/paperless-policy.xml /etc/ImageMagick-6/policy.xml
      - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv sync \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --group testing \
            --frozen
      - name: List installed Python dependencies
@@ -114,14 +126,15 @@ jobs:
          uv pip list
      - name: Install NLTK data
        run: |
-          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d ${{ env.NLTK_DATA }}
+          uv run python -m nltk.downloader punkt punkt_tab snowball_data stopwords -d "${NLTK_DATA}"
      - name: Run tests
        env:
          NLTK_DATA: ${{ env.NLTK_DATA }}
          PAPERLESS_CI_TEST: 1
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            --frozen \
            pytest
@@ -169,9 +182,11 @@ jobs:
          enable-cache: true
          python-version: ${{ steps.setup-python.outputs.python-version }}
      - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv sync \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --group testing \
            --group typing \
            --frozen
@@ -207,19 +222,23 @@ jobs:
    runs-on: ubuntu-slim
    steps:
      - name: Check gate
+        env:
+          BACKEND_CHANGED: ${{ needs.changes.outputs.backend_changed }}
+          TEST_RESULT: ${{ needs.test.result }}
+          TYPING_RESULT: ${{ needs.typing.result }}
        run: |
-          if [[ "${{ needs.changes.outputs.backend_changed }}" != "true" ]]; then
+          if [[ "${BACKEND_CHANGED}" != "true" ]]; then
            echo "No backend-relevant changes detected."
            exit 0
          fi

-          if [[ "${{ needs.test.result }}" != "success" ]]; then
-            echo "::error::Backend test job result: ${{ needs.test.result }}"
+          if [[ "${TEST_RESULT}" != "success" ]]; then
+            echo "::error::Backend test job result: ${TEST_RESULT}"
            exit 1
          fi

-          if [[ "${{ needs.typing.result }}" != "success" ]]; then
-            echo "::error::Backend typing job result: ${{ needs.typing.result }}"
+          if [[ "${TYPING_RESULT}" != "success" ]]; then
+            echo "::error::Backend typing job result: ${TYPING_RESULT}"
            exit 1
          fi

--- a/.github/workflows/ci-docker.yml
+++ b/.github/workflows/ci-docker.yml
@@ -166,6 +166,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs: build-arch
    if: needs.build-arch.outputs.should-push == 'true'
+    environment: image-publishing
    permissions:
      contents: read
      packages: write
--- a/.github/workflows/ci-frontend.yml
+++ b/.github/workflows/ci-frontend.yml
@@ -27,10 +27,13 @@ jobs:
          persist-credentials: false
      - name: Decide run mode
        id: force
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          REF_NAME: ${{ github.ref_name }}
        run: |
-          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+          if [[ "${EVENT_NAME}" == "workflow_dispatch" ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event_name }}" == "push" && ( "${{ github.ref_name }}" == "main" || "${{ github.ref_name }}" == "dev" ) ]]; then
+          elif [[ "${EVENT_NAME}" == "push" && ( "${REF_NAME}" == "main" || "${REF_NAME}" == "dev" ) ]]; then
            echo "run_all=true" >> "$GITHUB_OUTPUT"
          else
            echo "run_all=false" >> "$GITHUB_OUTPUT"
@@ -38,15 +41,22 @@ jobs:
      - name: Set diff range
        id: range
        if: steps.force.outputs.run_all != 'true'
+        env:
+          BEFORE_SHA: ${{ github.event.before }}
+          DEFAULT_BRANCH: ${{ github.event.repository.default_branch }}
+          EVENT_CREATED: ${{ github.event.created }}
+          EVENT_NAME: ${{ github.event_name }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha }}
+          SHA: ${{ github.sha }}
        run: |
-          if [[ "${{ github.event_name }}" == "pull_request" ]]; then
-            echo "base=${{ github.event.pull_request.base.sha }}" >> "$GITHUB_OUTPUT"
-          elif [[ "${{ github.event.created }}" == "true" ]]; then
-            echo "base=${{ github.event.repository.default_branch }}" >> "$GITHUB_OUTPUT"
+          if [[ "${EVENT_NAME}" == "pull_request" ]]; then
+            echo "base=${PR_BASE_SHA}" >> "$GITHUB_OUTPUT"
+          elif [[ "${EVENT_CREATED}" == "true" ]]; then
+            echo "base=${DEFAULT_BRANCH}" >> "$GITHUB_OUTPUT"
          else
-            echo "base=${{ github.event.before }}" >> "$GITHUB_OUTPUT"
+            echo "base=${BEFORE_SHA}" >> "$GITHUB_OUTPUT"
          fi
-          echo "ref=${{ github.sha }}" >> "$GITHUB_OUTPUT"
+          echo "ref=${SHA}" >> "$GITHUB_OUTPUT"
      - name: Detect changes
        id: filter
        if: steps.force.outputs.run_all != 'true'
@@ -224,6 +234,7 @@ jobs:
    needs: [changes, unit-tests, e2e-tests]
    if: needs.changes.outputs.frontend_changed == 'true'
    runs-on: ubuntu-24.04
+    environment: bundle-analysis
    permissions:
      contents: read
    steps:
--- a/.github/workflows/ci-release.yml
+++ b/.github/workflows/ci-release.yml
@@ -64,17 +64,21 @@ jobs:
          enable-cache: false
          python-version: ${{ steps.setup-python.outputs.python-version }}
      - name: Install Python dependencies
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
-          uv sync --python ${{ steps.setup-python.outputs.python-version }} --dev --frozen
+          uv sync --python "${PYTHON_VERSION}" --dev --frozen
      - name: Install system dependencies
        run: |
          sudo apt-get update -qq
          sudo apt-get install -qq --no-install-recommends gettext liblept5
      # ---- Build Documentation ----
      - name: Build documentation
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            --frozen \
            zensical build --clean
@@ -83,16 +87,20 @@ jobs:
        run: |
          uv export --quiet --no-dev --all-extras --format requirements-txt --output-file requirements.txt
      - name: Compile messages
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          cd src/
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            manage.py compilemessages
      - name: Collect static files
+        env:
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
        run: |
          cd src/
          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            manage.py collectstatic --no-input --clear
      - name: Assemble release package
        run: |
@@ -210,9 +218,13 @@ jobs:
        working-directory: docs
        env:
          CHANGELOG: ${{ needs.publish-release.outputs.changelog }}
+          PYTHON_VERSION: ${{ steps.setup-python.outputs.python-version }}
+          VERSION: ${{ needs.publish-release.outputs.version }}
        run: |
-          git branch ${{ needs.publish-release.outputs.version }}-changelog
-          git checkout ${{ needs.publish-release.outputs.version }}-changelog
+          branch_name="${VERSION}-changelog"
+
+          git branch "${branch_name}"
+          git checkout "${branch_name}"

          printf '# Changelog\n\n%s\n' "${CHANGELOG}" > changelog-new.md

@@ -227,24 +239,28 @@ jobs:
          mv changelog-new.md changelog.md

          uv run \
-            --python ${{ steps.setup-python.outputs.python-version }} \
+            --python "${PYTHON_VERSION}" \
            --dev \
            prek run --files changelog.md || true

          git config --global user.name "github-actions"
          git config --global user.email "41898282+github-actions[bot]@users.noreply.github.com"
-          git commit -am "Changelog ${{ needs.publish-release.outputs.version }} - GHA"
-          git push origin ${{ needs.publish-release.outputs.version }}-changelog
+          git commit -am "Changelog ${VERSION} - GHA"
+          git push origin "${branch_name}"
      - name: Create pull request
        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
+        env:
+          VERSION: ${{ needs.publish-release.outputs.version }}
        with:
          script: |
            const { repo, owner } = context.repo;
+            const version = process.env.VERSION;
+            const head = `${version}-changelog`;
            const result = await github.rest.pulls.create({
-              title: 'Documentation: Add ${{ needs.publish-release.outputs.version }} changelog',
+              title: `Documentation: Add ${version} changelog`,
              owner,
              repo,
-              head: '${{ needs.publish-release.outputs.version }}-changelog',
+              head,
              base: 'main',
              body: 'This PR is auto-generated by CI.'
            });
--- a/.github/workflows/cleanup-tags.yml
+++ b/.github/workflows/cleanup-tags.yml
@@ -18,6 +18,7 @@ jobs:
    name: Cleanup Image Tags for ${{ matrix.primary-name }}
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
+    environment: registry-maintenance
    strategy:
      fail-fast: false
      matrix:
@@ -44,6 +45,7 @@ jobs:
    runs-on: ubuntu-24.04
    needs:
      - cleanup-images
+    environment: registry-maintenance
    strategy:
      fail-fast: false
      matrix:
--- a/.github/workflows/crowdin.yml
+++ b/.github/workflows/crowdin.yml
@@ -14,6 +14,7 @@ jobs:
    name: Crowdin Sync
    if: github.repository_owner == 'paperless-ngx'
    runs-on: ubuntu-24.04
+    environment: translation-sync
    steps:
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
--- a/.github/workflows/translate-strings.yml
+++ b/.github/workflows/translate-strings.yml
@@ -7,6 +7,7 @@ jobs:
  generate-translate-strings:
    name: Generate Translation Strings
    runs-on: ubuntu-latest
+    environment: translation-sync
    permissions:
      contents: write
    steps:
--- a/.github/zizmor.yml
+++ b/.github/zizmor.yml
@@ -3,54 +3,22 @@ rules:
    ignore:
      # github.event_name is a GitHub-internal constant (push/pull_request/etc.),
      # not attacker-controllable.
-      - ci-backend.yml:35
      - ci-docker.yml:74
      - ci-docs.yml:33
-      - ci-frontend.yml:32
      # github.event.repository.default_branch refers to the target repo's setting,
      # which only admins can change; not influenced by fork PR authors.
-      - ci-backend.yml:47
      - ci-docs.yml:45
-      - ci-frontend.yml:44
      # steps.setup-python.outputs.python-version is always a semver string (e.g. "3.12.0")
      # produced by actions/setup-python from a hardcoded env var input.
-      - ci-backend.yml:106
-      - ci-backend.yml:121
-      - ci-backend.yml:169
      - ci-docs.yml:88
      - ci-docs.yml:92
-      - ci-release.yml:69
-      - ci-release.yml:78
-      - ci-release.yml:90
-      - ci-release.yml:96
-      - ci-release.yml:229
      # needs.*.result is always one of: success/failure/cancelled/skipped.
-      - ci-backend.yml:211
-      - ci-backend.yml:212
-      - ci-backend.yml:216
      - ci-docs.yml:131
      - ci-docs.yml:132
-      - ci-frontend.yml:259
-      - ci-frontend.yml:260
-      - ci-frontend.yml:264
-      - ci-frontend.yml:269
-      - ci-frontend.yml:274
-      - ci-frontend.yml:279
      # needs.changes.outputs.* is always "true" or "false".
-      - ci-backend.yml:206
      - ci-docs.yml:126
-      - ci-frontend.yml:254
      # steps.build.outputs.digest is always a SHA256 digest (sha256:[a-f0-9]{64}).
      - ci-docker.yml:152
-      # needs.publish-release.outputs.version is the git tag name (e.g. v2.14.0);
-      # only maintainers can push tags upstream, and the tag pattern excludes
-      # shell metacharacters. Used in git commands and github-script JS, not eval.
-      - ci-release.yml:215
-      - ci-release.yml:216
-      - ci-release.yml:231
-      - ci-release.yml:237
-      - ci-release.yml:245
-      - ci-release.yml:248
  dangerous-triggers:
    ignore:
      # Both workflows use pull_request_target solely to label/comment on fork PRs