From: Steve Myers Date: Tue, 28 Jan 2025 17:58:50 +0000 (-0600) Subject: Merge bitcoindevkit/bdk#1778: ci: apply `zizmor` security audit X-Git-Tag: bitcoind_rpc-0.18.0~2 X-Git-Url: http://internal-gitweb-vhost/script/%22https:/database/scripts/utils/static/gitweb.css?a=commitdiff_plain;h=88330f603cb415d01c88f1a579f20a21cb8c1658;p=bdk Merge bitcoindevkit/bdk#1778: ci: apply `zizmor` security audit 30dce98450fb3a919babfe512d8e8d505f3dddd8 fix(cont-integration): template injection audit (Leonardo Lima) 4ce913960a77a8ec857518cd894e12bf59df1bae fix(ci): do not persist credentials (Leonardo Lima) Pull request description: fixes #1775 ### Description I used `zizmor` on all current CI workflows, it's a tool that helps detecting possible vulnerabilities in our CI jobs, see https://woodruffw.github.io/zizmor/. It can run against most of it's audit rules, however the ones that require the GitHub API Token would require some with access to it in order to test against it. So this PR does not cover for impostor-commit, ref-confusion known-vulnerable-actions audit rules. ### Notes to the reviewers ### Changelog notice - Do not persist credentials on GitHub Actions. ### Checklists #### All Submissions: * [x] I've signed all my commits * [x] I followed the [contribution guidelines](https://github.com/bitcoindevkit/bdk/blob/master/CONTRIBUTING.md) * [x] I ran `cargo fmt` and `cargo clippy` before committing ACKs for top commit: notmandatory: ACK 30dce98450fb3a919babfe512d8e8d505f3dddd8 Tree-SHA512: 611b51bdac3278c86954b4c7a8ecb405db0889fd65f58cf4035058433233340bd5c83f135184dd53e2e1cc6f547d8ce88a7e4433da39d621479b17dd9e2e06d1 --- 88330f603cb415d01c88f1a579f20a21cb8c1658