[CI] Add zimor to check github action security (#8639)

* Add zimor to checks * fix format * use same version of checkout everywhere * do only persist credentials if needed * remove duplicate clones * fix pin syntax * fix pins * fix template injection * another injection fix * Revert "remove duplicate clones" This reverts commit 9a00ae2bbb. * Add GH token for further rules
2025-06-18 13:05:42 +00:00 · 2024-12-17 00:12:51 +01:00
parent 5d2329651a
commit 9dc4fc1f8f
7 changed files with 93 additions and 16 deletions
--- a/.github/actions/setup/action.yaml
+++ b/.github/actions/setup/action.yaml
@ -35,7 +35,9 @@ runs:
    using: 'composite'
    steps:
      - name: Checkout Code
-        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # pin@v4.1.1
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # pin@v4.2.2
+        with:
+          persist-credentials: false

      # Python installs
      - name: Set up Python ${{ env.python_version }}