CI: auto-fix via zizmor

tacaswell · tacaswell · commit ef5b328b76b8 · 2025-07-17T23:05:53.000-04:00
May include:

- Avoids risky string interpolation.
- Prevents checkout premissions from leaking
diff --git a/.github/workflows/mplfinance_checks.yml b/.github/workflows/mplfinance_checks.yml
@@ -11,18 +11,23 @@ jobs:
         run: |
           echo "The job was automatically triggered by a ${{ github.event_name }} event."
           echo "This job is now running on a ${{ runner.os }} server hosted by GitHub!"
-          echo "The name of your branch is ${{ github.ref }} and your repository is ${{ github.repository }}."
+          echo "The name of your branch is ${GITHUB_REF} and your repository is ${{ github.repository }}."
           echo "  "
-          echo "github.ref = ${{ github.ref }}"
+          echo "github.ref = ${GITHUB_REF}"
           echo "github.sha = ${{ github.sha }}"
-          echo "github.event.pull_request.head.ref = ${{ github.event.pull_request.head.ref }}"
+          echo "github.event.pull_request.head.ref = ${GITHUB_EVENT_PULL_REQUEST_HEAD_REF}"
           echo "github.event.pull_request.head.sha = ${{ github.event.pull_request.head.sha }}"
-          echo "github.event.pull_request.base.ref = ${{ github.event.pull_request.base.ref }}"
+          echo "github.event.pull_request.base.ref = ${GITHUB_EVENT_PULL_REQUEST_BASE_REF}"
           echo "github.event.pull_request.base.sha = ${{ github.event.pull_request.base.sha }}"
           echo "  "
+        env:
+          GITHUB_EVENT_PULL_REQUEST_HEAD_REF: ${{ github.event.pull_request.head.ref }}
+          GITHUB_EVENT_PULL_REQUEST_BASE_REF: ${{ github.event.pull_request.base.ref }}
 
       - name: Check out repository code
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - run: echo "The ${{ github.repository }} repository has been cloned to the runner."
 
@@ -43,14 +48,18 @@ jobs:
       - name: Run Pytest
         run: python -m pytest
 
-      - run: echo "This job's status is ${{ job.status }}."
+      - run: echo "This job's status is ${JOB_STATUS}."
+        env:
+          JOB_STATUS: ${{ job.status }}
 
   Pull_Request_Updates_Version:
     runs-on: ubuntu-20.04
     if: github.event_name == 'pull_request'
     steps:
       - name: Check out repository code
         uses: actions/checkout@v2
+        with:
+          persist-credentials: false
 
       - name: Set up Python ${{ matrix.python-version }}
         uses: actions/setup-python@v2
diff --git a/.github/workflows/pubPyPI.yml b/.github/workflows/pubPyPI.yml
@@ -15,7 +15,8 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@v3
       with:
-        ref:  ${{ github.event.inputs.tag }}
+        ref: ${{ github.event.inputs.tag }}
+        persist-credentials: false
 
     - name: Display Coded Version 
       #run: git show ${{ github.sha }}:src/mplfinance/_version.py
diff --git a/.github/workflows/pubTestPyPI.yml b/.github/workflows/pubTestPyPI.yml
@@ -15,7 +15,8 @@ jobs:
     - name: Checkout Repository
       uses: actions/checkout@v3
       with:
-        ref:  ${{ github.event.inputs.tag }}
+        ref: ${{ github.event.inputs.tag }}
+        persist-credentials: false
 
     - name: Display Coded Version 
       #run: git show ${{ github.sha }}:src/mplfinance/_version.py
