Ci/zizmor

.github/workflows/build.yml

@@ -13,19 +13,23 @@ defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   collect:
+    name: Collect DEVFAMILY and OS combinations
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
     outputs:
       build-matrix: "${{ steps.matrix.outputs.matrix }}"
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Create build matrix
         id: matrix
@@ -38,8 +42,6 @@ jobs:
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
     needs: collect
     strategy:
       matrix:
@@ -48,15 +50,19 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Add directory to safe dir overrides
         run: |
           git config --global --add safe.directory "$PWD"
 
       - name: Build ${{ matrix.device }}
+        env:
+          DEVFAMILY: ${{ matrix.device }}
+          OS: ${{ matrix.os }}
         run: |
-          make DEVFAMILY=${{ matrix.device }} OS=${{ matrix.os }} \
-          VERSION=${{ github.ref_name }}
+          make VERSION=${GITHUB_REF_NAME}
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4

.github/workflows/check-files.yml

@@ -7,23 +7,30 @@ on:  # yamllint disable-line rule:truthy
     paths:
       - 'source/**'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
 defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Update refs and settings
         run: |
@@ -33,6 +40,8 @@ jobs:
           git switch master
 
       - name: Run check_files.py
+        env:
+          EVENT_NUMBER: ${{ github.event.number }}
         run: |
           # Disable color output
           export NO_COLOR=true
@@ -53,7 +62,7 @@ jobs:
 
           # Prepare the artifacts
           mkdir -p ./results
-          echo "${{ github.event.number }}" > ./results/id
+          echo "$EVENT_NUMBER" > ./results/id
           cp "$GITHUB_STEP_SUMMARY" ./results/summary
           echo "$(wc -l < _new-warn.log)" > ./results/problem-count
 

.github/workflows/check_toc_txt.yml

@@ -8,23 +8,30 @@ on:  # yamllint disable-line rule:truthy
       - 'source/**'
       - 'configs/*/*_toc.txt'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
 defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Update refs and settings
         run: |
@@ -34,6 +41,8 @@ jobs:
           git switch master
 
       - name: Run rstcheck
+        env:
+          EVENT_NUMBER: ${{ github.event.number }}
         run: |
           # Disable color output
           export NO_COLOR=true
@@ -54,7 +63,7 @@ jobs:
 
           # Prepare the artifacts
           mkdir -p ./results
-          echo "${{ github.event.number }}" > ./results/id
+          echo "$EVENT_NUMBER" > ./results/id
           cp "$GITHUB_STEP_SUMMARY" ./results/summary
           echo "$(wc -l < _new-warn.log)" > ./results/problem-count
 

.github/workflows/comment.yml

@@ -10,13 +10,14 @@ on:  # yamllint disable-line rule:truthy
     types:
       - completed
 
+permissions:
+  pull-requests: write  # Required to leave a comment on a review
+
 jobs:
   comment:
     name: Comment
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.event == 'pull_request' }}
-    permissions:
-      pull-requests: write
 
     steps:
       - name: Download artifact

.github/workflows/commit-check.yml

@@ -1,23 +1,25 @@
 ---
 name: Commit Check
-on:  # yamllint disable-line rule:truthy
-  pull_request:
-    branches: ['master']
+on: [pull_request]  # yamllint disable-line rule:truthy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
 
 jobs:
   commit-check:
     name: Commit Check
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      issues: write
-      pull-requests: write
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Check commit
         uses: commit-check/commit-check-action@v2

.github/workflows/component-owners.yml

@@ -1,20 +1,19 @@
 ---
 name: "component-owners"
 
-on:  # yamllint disable-line rule:truthy
-  # It's insecure to use pull_request_target if you intend to check out code
-  # from that PR. This just reads the config file in the pull request base, and
-  # is not an issue currently. We will need to use this to comment on PRs coming
-  # from forked repositories.
-  pull_request_target:
-    branches: [master]
+# It's insecure to use pull_request_target if you intend to check out code
+# from that PR. This just reads the config file in the pull request base, and
+# is not an issue currently. We will need to use this to comment on PRs coming
+# from forked repositories.
+on: [pull_request_target]  # yamllint disable-line rule:truthy
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
 
 permissions:
-  # Clamp permissions since pull_request_target workflows granted full
-  # read/write repository permission by default
   contents: read
-  issues: write
-  pull-requests: write
+  pull-requests: write  # Required to set reviewers
 
 jobs:
   component-owners:

.github/workflows/deploy.yml

@@ -8,6 +8,13 @@ on:  # yamllint disable-line rule:truthy
     types:
       - completed
 
+concurrency:
+  group: pages
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
 jobs:
   agregate:
     name: Agregate build artifacts
@@ -16,12 +23,12 @@ jobs:
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Add directory to safe dir overrides
         run: |
@@ -51,8 +58,7 @@ jobs:
     runs-on: ubuntu-latest
     needs: agregate
     permissions:
-      pages: write
-      id-token: write
+      pages: write  # Required for deployment to GitHub Pages
 
     steps:
       - name: Update github page deployment

.github/workflows/docker.yml

@@ -7,21 +7,28 @@ on:  # yamllint disable-line rule:truthy
       - 'docker/**'
       - requirements.txt
 
+concurrency:
+  group: docker
+  cancel-in-progress: true
+
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  contents: read
+  packages: write  # Required to push image to ghcr.io
+
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      packages: write
 
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3

.github/workflows/rstcheck.yml

@@ -7,23 +7,30 @@ on:  # yamllint disable-line rule:truthy
     paths:
       - 'source/**'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
 defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/texasinstruments/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Update refs and settings
         run: |
@@ -33,6 +40,8 @@ jobs:
           git switch master
 
       - name: Run rstcheck
+        env:
+          EVENT_NUMBER: ${{ github.event.number }}
         run: |
           # Disable color output
           export NO_COLOR=true
@@ -53,7 +62,7 @@ jobs:
 
           # Prepare the artifacts
           mkdir -p ./results
-          echo "${{ github.event.number }}" > ./results/id
+          echo "$EVENT_NUMBER" > ./results/id
           cp "$GITHUB_STEP_SUMMARY" ./results/summary
           echo "$(wc -l < _new-warn.log)" > ./results/problem-count
 

.github/workflows/vale.yml

@@ -3,19 +3,24 @@ name: "vale"
 
 on: [pull_request]  # yamllint disable-line rule:truthy
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.number }}
+  cancel-in-progress: true
+
 defaults:
   run:
     shell: bash
 
+permissions:
+  contents: read
+
 jobs:
   vale:
     name: vale
     runs-on: ubuntu-latest
     container:
       image: ghcr.io/staticrocket/processor-sdk-doc:latest
       options: --entrypoint /bin/bash
-    permissions:
-      contents: read
 
     steps:
       - name: Prepare GitHub workdir
@@ -24,6 +29,8 @@ jobs:
 
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Get changed files
         id: changed-files