Fix zizmor security issues in GA (dftd4#272)

grimme-lab · Dec 15, 2024 · 05e6eb0 · 05e6eb0
1 parent 5bc636c
commit 05e6eb0
Show file tree

Hide file tree

Showing 4 changed files with 464 additions and 392 deletions.
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -2,9 +2,9 @@ name: "CodeQL"
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
   pull_request:
-    branches: [ "main" ]
+    branches: ["main"]
   schedule:
     - cron: "6 8 * * 2"
 
@@ -20,11 +20,13 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ python ]
+        language: [python]
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v2

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -13,24 +13,48 @@ jobs:
   build-and-deploy:
     runs-on: ubuntu-latest
     steps:
-    - id: deploy-on-push
-      run:
-        echo "::set-output name=result::${{ env.DEPLOY_BRANCH }}"
-      env:
-        DEPLOY_BRANCH: ${{ secrets.DEPLOY_BRANCH && contains(github.ref, secrets.DEPLOY_BRANCH) && 1 || 0 }}
-    - uses: actions/checkout@v2
-    - uses: actions/setup-python@v1
-      with:
-        python-version: '3.x'
-    - name: Install dependencies
-      run: pip install ford
-    - name: Build Documentation
-      run: ford ford.md
-    - uses: JamesIves/[email protected]
-      if: ${{ github.event_name == 'push' && steps.deploy-on-push.outputs.result != 0 }}
-      with:
-        branch: gh-pages
-        folder: _docs
-        single-commit: true
-        git-config-email: [email protected]
-        git-config-name: DFT-D4
+      - id: deploy-on-push
+        run: echo "result=$DEPLOY_BRANCH" >> $GITHUB_OUTPUT
+        env:
+          DEPLOY_BRANCH: ${{ secrets.DEPLOY_BRANCH && contains(github.ref, secrets.DEPLOY_BRANCH) && '1' || '0' }}
+
+      - name: Set DEPLOY_BRANCH
+        id: set-deploy-branch
+        run: echo "DEPLOY_BRANCH=$DEPLOY_BRANCH" >> $GITHUB_ENV
+        env:
+          DEPLOY_BRANCH: ${{ secrets.DEPLOY_BRANCH && contains(github.ref, secrets.DEPLOY_BRANCH) && '1' || '0' }}
+
+      - name: Validate DEPLOY_BRANCH
+        run: |
+          if [[ "$DEPLOY_BRANCH" != "1" && "$DEPLOY_BRANCH" != "0" ]]; then
+            echo "Invalid DEPLOY_BRANCH value: $DEPLOY_BRANCH"
+            exit 1
+          fi
+        env:
+          DEPLOY_BRANCH: ${{ env.DEPLOY_BRANCH }}
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.x"
+
+      - name: Install dependencies
+        run: pip install ford
+
+      - name: Build Documentation
+        run: ford ford.md
+
+      - name: Deploy to GitHub Pages
+        uses: JamesIves/[email protected]
+        if: ${{ github.event_name == 'push' && steps.deploy-on-push.outputs.result != '0' }}
+        with:
+          branch: gh-pages
+          folder: _docs
+          single-commit: true
+          git-config-email: [email protected]
+          git-config-name: DFT-D4