fix zizmor findings

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-03-31 12:19:16 +00:00 · 2026-03-30 13:48:56 +02:00
parent 23d4d7612d
commit 389e17934e
8 changed files with 101 additions and 69 deletions
--- a/.github/workflows/update-dist.yml
+++ b/.github/workflows/update-dist.yml
@@ -1,5 +1,12 @@
 name: update-dist

+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
  pull_request:
    types:
@@ -8,27 +15,27 @@ on:

 jobs:
  update-dist:
-    if: github.actor == 'dependabot[bot]'
+    if: github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == github.event.pull_request.head.repo.full_name
    runs-on: ubuntu-latest
    steps:
      -
        name: GitHub auth token from GitHub App
        id: docker-read-app
-        uses: actions/create-github-app-token@v2
+        uses: actions/create-github-app-token@f8d387b68d61c58ab83c6c016672934102569859 # v3.0.0
        with:
          app-id: ${{ secrets.GHACTIONS_REPO_WRITE_APP_ID }}
          private-key: ${{ secrets.GHACTIONS_REPO_WRITE_APP_PRIVATE_KEY }}
          owner: docker
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ github.event.pull_request.head.ref }}
          fetch-depth: 0
-          token: ${{ steps.docker-read-app.outputs.token || github.token }}
+          token: ${{ steps.docker-read-app.outputs.token }}
      -
        name: Build
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          source: .
          targets: build