GHA/checksrc: pass zizmor a GH token, fix warnings found

For a complete, online, check. After this patch the check takes 30s, up from a fraction of a second. Also bump CodeQL actions to their latest version. Closes #18827
2026-05-16 16:46:20 +03:00 · 2025-10-03 11:43:10 +02:00 · 2025-10-03 11:43:10 +02:00 · 2e5993ab08
commit 2e5993ab08
parent 4e2edde102
3 changed files with 7 additions and 5 deletions
--- a/.github/workflows/checksrc.yml
+++ b/.github/workflows/checksrc.yml
@ -129,6 +129,8 @@ jobs:
          persist-credentials: false

      - name: 'zizmor GHA'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"
          zizmor --pedantic .github/workflows/*.yml
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@ -48,13 +48,13 @@ jobs:
          persist-credentials: false

      - name: 'initialize'
-        uses: github/codeql-action/init@303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
          languages: actions, python
          queries: security-extended

      - name: 'perform analysis'
-        uses: github/codeql-action/analyze@303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5

  c:
    name: 'C'
@ -84,7 +84,7 @@ jobs:
          persist-credentials: false

      - name: 'initialize'
-        uses: github/codeql-action/init@303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3
+        uses: github/codeql-action/init@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
        with:
          languages: cpp
          build-mode: manual
@ -130,4 +130,4 @@ jobs:
          fi

      - name: 'perform analysis'
-        uses: github/codeql-action/analyze@303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3
+        uses: github/codeql-action/analyze@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
--- a/.github/workflows/distcheck.yml
+++ b/.github/workflows/distcheck.yml
@ -49,7 +49,7 @@ jobs:
      - name: 'maketgz'
        run: SOURCE_DATE_EPOCH=1711526400 ./scripts/maketgz 99.98.97

-      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4
+      - uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
        with:
          name: 'release-tgz'
          path: 'curl-99.98.97.tar.gz'