fix zizmor findings

Signed-off-by: CrazyMax <1951866+crazy-max@users.noreply.github.com>
2026-04-06 14:19:25 +00:00 · 2026-03-30 14:09:00 +02:00 · 2026-03-30 14:09:00 +02:00 · 693fa383c9
commit 693fa383c9
parent e83e727655
8 changed files with 61 additions and 49 deletions
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@ -1,20 +1,19 @@
 name: validate

+permissions:
+  contents: read
+
 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

 on:
-  workflow_dispatch:
  push:
    branches:
      - 'main'
      - 'releases/v*'
  pull_request:

-env:
-  SETUP_BUILDX_VERSION: "edge"
-
 jobs:
  prepare:
    runs-on: ubuntu-latest
@ -23,11 +22,11 @@ jobs:
    steps:
      -
        name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      -
        name: Generate matrix
        id: generate
-        uses: docker/bake-action/subaction/matrix@v7
+        uses: docker/bake-action/subaction/matrix@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          target: validate

@ -40,14 +39,8 @@ jobs:
      matrix:
        include: ${{ fromJson(needs.prepare.outputs.matrix) }}
    steps:
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v4
-        with:
-          version: ${{ env.SETUP_BUILDX_VERSION }}
-          driver: docker
      -
        name: Validate
-        uses: docker/bake-action@v7
+        uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0
        with:
          targets: ${{ matrix.target }}