Apply zizmor findings (apache#45408)

Author: gopidesupavan

.github/actions/breeze/action.yml

@@ -24,8 +24,7 @@ inputs:
     default: "3.9"
   use-uv:
     description: 'Whether to use uv tool'
-    required: "true"
-    type: "string"
+    required: true
 outputs:
   host-python-version:
     description: Python version used in host

.github/actions/install-pre-commit/action.yml

@@ -36,10 +36,14 @@ runs:
   steps:
     - name: Install pre-commit, uv, and pre-commit-uv
       shell: bash
+      env:
+        UV_VERSION: ${{inputs.uv-version}}
+        PRE_COMMIT_VERSION: ${{inputs.pre-commit-version}}
+        PRE_COMMIT_UV_VERSION: ${{inputs.pre-commit-uv-version}}
       run: |
-        pip install uv==${{inputs.uv-version}} || true
-        uv tool install pre-commit==${{inputs.pre-commit-version}} --with uv==${{inputs.uv-version}} \
-        --with pre-commit-uv==${{inputs.pre-commit-uv-version}}
+        pip install uv==${UV_VERSION} || true
+        uv tool install pre-commit==${PRE_COMMIT_VERSION} --with uv==${UV_VERSION} \
+        --with pre-commit-uv==${PRE_COMMIT_UV_VERSION}
       working-directory: ${{ github.workspace }}
     # We need to use tar file with archive to restore all the permissions and symlinks
     - name: "Delete ~.cache"

.github/actions/prepare_breeze_and_image/action.yml

@@ -52,7 +52,11 @@ runs:
         key: ${{ inputs.image-type }}-image-save-${{ inputs.platform }}-${{ inputs.python }}
         path: "/tmp/"
     - name: "Load ${{ inputs.image-type }} image ${{ inputs.platform }}:${{ inputs.python }}"
+      env:
+        PLATFORM: ${{ inputs.platform }}
+        PYTHON: ${{ inputs.python }}
+        IMAGE_TYPE: ${{ inputs.image-type }}
       run: >
-        breeze ${{ inputs.image-type }}-image load
-        --platform ${{ inputs.platform }} --python ${{ inputs.python }}
+        breeze ${IMAGE_TYPE}-image load
+        --platform ${PLATFORM} --python ${PYTHON}
       shell: bash

.github/actions/prepare_single_ci_image/action.yml

@@ -42,6 +42,9 @@ runs:
         path: "/tmp/"
       if: contains(inputs.python-versions-list-as-string, inputs.python)
     - name: "Load CI image ${{ inputs.platform }}:${{ inputs.python }}"
-      run: breeze ci-image load --platform "${{ inputs.platform }}" --python "${{ inputs.python }}"
+      env:
+        PLATFORM: ${{ inputs.platform }}
+        PYTHON: ${{ inputs.python }}
+      run: breeze ci-image load --platform "${PLATFORM}" --python "${PYTHON}"
       shell: bash
       if: contains(inputs.python-versions-list-as-string, inputs.python)

.github/workflows/additional-ci-image-checks.yml

@@ -146,7 +146,10 @@ jobs:
         with:
           use-uv: ${{ inputs.use-uv }}
       - name: "Login to ghcr.io"
-        run: echo "${{ env.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        env:
+          actor: ${{ github.actor }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: echo "$GITHUB_TOKEN" | docker login ghcr.io -u "$actor" --password-stdin
       - name: "Check that image builds quickly"
         run: breeze shell --max-time 600 --platform "linux/amd64"
 

.github/workflows/additional-prod-image-tests.yml

@@ -123,11 +123,15 @@ jobs:
           python: ${{ inputs.default-python-version }}
           use-uv: ${{ inputs.use-uv }}
       - name: "Test examples of PROD image building"
+        env:
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          DEFAULT_BRANCH: ${{ inputs.default-branch }}
+          DEFAULT_PYTHON_VERSION: ${{ inputs.default-python-version }}
         run: "
           cd ./docker_tests && \
           python -m pip install -r requirements.txt && \
-          TEST_IMAGE=\"ghcr.io/${{ github.repository }}/${{ inputs.default-branch }}\
-          /prod/python${{ inputs.default-python-version }}\" \
+          TEST_IMAGE=\"ghcr.io/$GITHUB_REPOSITORY/$DEFAULT_BRANCH\
+          /prod/python$DEFAULT_PYTHON_VERSION\" \
           python -m pytest test_examples_of_prod_image_building.py -n auto --color=yes"
 
   test-docker-compose-quick-start:

.github/workflows/backport-cli.yml

@@ -64,24 +64,28 @@ jobs:
         id: execute-backport
         env:
           GH_AUTH: ${{ secrets.GITHUB_TOKEN }}
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+          COMMIT_SHA: ${{ inputs.commit-sha }}
         run: |
           git config --global user.email "[email protected]"
           git config --global user.name "Your Name"
           set +e
           {
           echo 'cherry_picker_output<<EOF'
-          cherry_picker ${{ inputs.commit-sha }} ${{ inputs.target-branch }}
+          cherry_picker ${COMMIT_SHA} ${TARGET_BRANCH}
           echo EOF
           } >> "${GITHUB_OUTPUT}"
         continue-on-error: true
 
       - name: Parse backport output
         id: parse-backport-output
+        env:
+          CHERRY_PICKER_OUTPUT: ${{ steps.execute-backport.outputs.cherry_picker_output }}
         run: |
           set +e
-          echo "${{ steps.execute-backport.outputs.cherry_picker_output }}"
+          echo "${CHERRY_PICKER_OUTPUT}"
 
-          url=$(echo "${{ steps.execute-backport.outputs.cherry_picker_output }}" | \
+          url=$(echo "${CHERRY_PICKER_OUTPUT}" | \
               grep -o 'Backport PR created at https://[^ ]*' | \
               awk '{print $5}')
 
@@ -99,17 +103,20 @@ jobs:
           GH_TOKEN: ${{ github.token }}
           REPOSITORY: ${{ github.repository }}
           RUN_ID: ${{ github.run_id }}
+          COMMIT_SHA: ${{ inputs.commit-sha }}
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+          BACKPORT_URL: ${{ steps.parse-backport-output.outputs.backport-url }}
         run: |
-          COMMIT_INFO_URL="https://api.github.com/repos/${{ github.repository }}/commits/"
-          COMMIT_INFO_URL="${COMMIT_INFO_URL}${{ inputs.commit-sha }}/pulls"
+          COMMIT_INFO_URL="https://api.github.com/repos/$REPOSITORY/commits/"
+          COMMIT_INFO_URL="${COMMIT_INFO_URL}$COMMIT_SHA/pulls"
 
           PR_NUMBER=$(gh api \
               -H "Accept: application/vnd.github+json" \
               -H "X-GitHub-Api-Version: 2022-11-28" \
-              /repos/${{ github.repository }}/commits/${{ inputs.commit-sha }}/pulls \
+              /repos/$REPOSITORY/commits/$COMMIT_SHA/pulls \
               --jq '.[0].number')
 
           python ./dev/backport/update_backport_status.py \
-              ${{ steps.parse-backport-output.outputs.backport-url }} \
-              ${{ inputs.commit-sha }} ${{ inputs.target-branch }} \
+              $BACKPORT_URL \
+              $COMMIT_SHA $TARGET_BRANCH \
               "$PR_NUMBER"

.github/workflows/ci-image-build.yml

@@ -140,17 +140,22 @@ jobs:
           path: "/tmp/"
         id: restore-cache-mount
       - name: "Import mount-cache ${{ inputs.platform }}:${{ env.PYTHON_MAJOR_MINOR_VERSION }}"
+        env:
+          PYTHON_MAJOR_MINOR_VERSION: ${{ env.PYTHON_MAJOR_MINOR_VERSION }}
         run: >
           breeze ci-image import-mount-cache
-          --cache-file /tmp/ci-cache-mount-save-v2-${{ env.PYTHON_MAJOR_MINOR_VERSION }}.tar.gz
+          --cache-file /tmp/ci-cache-mount-save-v2-${PYTHON_MAJOR_MINOR_VERSION}.tar.gz
         if: steps.restore-cache-mount.outputs.stash-hit == 'true'
       - name: "Login to ghcr.io"
-        run: echo "${{ env.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ACTOR: ${{ github.actor }}
+        run: echo "${GITHUB_TOKEN}" | docker login ghcr.io -u ${ACTOR} --password-stdin
       - name: >
           Build ${{ inputs.push-image == 'true' && ' & push ' || '' }}
           ${{ inputs.platform }}:${{ env.PYTHON_MAJOR_MINOR_VERSION }} image
         run: >
-          breeze ci-image build --platform "${{ inputs.platform }}"
+          breeze ci-image build --platform "${PLATFORM}"
         env:
           DOCKER_CACHE: ${{ inputs.docker-cache }}
           DISABLE_AIRFLOW_REPO_CACHE: ${{ inputs.disable-airflow-repo-cache }}
@@ -167,8 +172,11 @@ jobs:
           GITHUB_USERNAME: ${{ github.actor }}
           PUSH: ${{ inputs.push-image }}
           VERBOSE: "true"
+          PLATFORM: ${{ inputs.platform }}
       - name: "Export CI docker image ${{ env.PYTHON_MAJOR_MINOR_VERSION }}"
-        run: breeze ci-image save --platform "${{ inputs.platform }}"
+        env:
+          PLATFORM: ${{ inputs.platform }}
+        run: breeze ci-image save --platform "${PLATFORM}"
         if: inputs.upload-image-artifact == 'true'
       - name: "Stash CI docker image ${{ env.PYTHON_MAJOR_MINOR_VERSION }}"
         uses: apache/infrastructure-actions/stash/save@c94b890bbedc2fc61466d28e6bd9966bc6c6643c
@@ -179,9 +187,11 @@ jobs:
           retention-days: '2'
         if: inputs.upload-image-artifact == 'true'
       - name: "Export mount cache ${{ inputs.platform }}:${{ env.PYTHON_MAJOR_MINOR_VERSION }}"
+        env:
+          PYTHON_MAJOR_MINOR_VERSION: ${{ env.PYTHON_MAJOR_MINOR_VERSION }}
         run: >
           breeze ci-image export-mount-cache
-          --cache-file /tmp/ci-cache-mount-save-v2-${{ env.PYTHON_MAJOR_MINOR_VERSION }}.tar.gz
+          --cache-file /tmp/ci-cache-mount-save-v2-${PYTHON_MAJOR_MINOR_VERSION}.tar.gz
         if: inputs.upload-mount-cache-artifact == 'true'
       - name: "Stash cache mount ${{ inputs.platform }}:${{ env.PYTHON_MAJOR_MINOR_VERSION }}"
         uses: apache/infrastructure-actions/stash/save@c94b890bbedc2fc61466d28e6bd9966bc6c6643c

.github/workflows/ci-image-checks.yml

@@ -228,14 +228,15 @@ jobs:
         with:
           python-version: ${{steps.breeze.outputs.host-python-version}}
       - name: "MyPy checks for ${{ matrix.mypy-check }}"
-        run: pre-commit run --color always --verbose --hook-stage manual ${{matrix.mypy-check}} --all-files
+        run: pre-commit run --color always --verbose --hook-stage manual "$MYPY_CHECK" --all-files
         env:
           VERBOSE: "false"
           COLUMNS: "250"
           SKIP_GROUP_OUTPUT: "true"
           DEFAULT_BRANCH: ${{ inputs.branch }}
           RUFF_FORMAT: "github"
           INCLUDE_MYPY_VOLUME: "false"
+          MYPY_CHECK: ${{ matrix.mypy-check }}
 
   build-docs:
     timeout-minutes: 150
@@ -276,8 +277,10 @@ jobs:
           key: cache-docs-inventory-v1-${{ hashFiles('pyproject.toml') }}
         id: restore-docs-inventory-cache
       - name: "Building docs with ${{ matrix.flag }} flag"
+        env:
+          DOCS_LIST_AS_STRING: ${{ inputs.docs-list-as-string }}
         run: >
-          breeze build-docs ${{ inputs.docs-list-as-string }} ${{ matrix.flag }}
+          breeze build-docs ${DOCS_LIST_AS_STRING} ${{ matrix.flag }}
       - name: "Save docs inventory cache"
         uses: apache/infrastructure-actions/stash/save@c94b890bbedc2fc61466d28e6bd9966bc6c6643c
         with:
@@ -339,9 +342,11 @@ jobs:
           python: ${{ inputs.default-python-version }}
           use-uv: ${{ inputs.use-uv }}
       - name: "Publish docs"
+        env:
+          DOCS_LIST_AS_STRING: ${{ inputs.docs-list-as-string }}
         run: >
           breeze release-management publish-docs --override-versioned --run-in-parallel
-          ${{ inputs.docs-list-as-string }}
+          ${DOCS_LIST_AS_STRING}
       - name: Check disk space available
         run: df -h
       - name: "Generate back references for providers"

.github/workflows/ci.yml

@@ -34,12 +34,6 @@ on:  # yamllint disable-line rule:truthy
 permissions:
   # All other permissions are set to none by default
   contents: read
-  # Technically read access while waiting for images should be more than enough. However,
-  # there is a bug in GitHub Actions/Packages and in case private repositories are used, you get a permission
-  # denied error when attempting to just pull private image, changing the token permission to write solves the
-  # issue. This is not dangerous, because if it is for "apache/airflow", only maintainers can push ci.yml
-  # changes. If it is for a fork, then the token is read-only anyway.
-  packages: write
 env:
   GITHUB_REPOSITORY: ${{ github.repository }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -228,6 +222,9 @@ jobs:
     name: "Additional CI image checks"
     needs: [build-info, build-ci-images]
     uses: ./.github/workflows/additional-ci-image-checks.yml
+    permissions:
+      contents: read
+      packages: write
     if: needs.build-info.outputs.canary-run == 'true'
     with:
       runs-on-as-json-default: ${{ needs.build-info.outputs.runs-on-as-json-default }}