ci: fix all medium-severity zizmor findings and set --min-severity medium

Author: davidgamero

.github/dependabot.yml

@@ -5,15 +5,21 @@ updates:
       schedule:
           interval: 'daily'
           time: '02:00'
+      cooldown:
+          default-days: 7
       target-branch: 'main'
     - package-ecosystem: 'github-actions'
       directory: '/'
       schedule:
           interval: 'daily'
           time: '03:00'
+      cooldown:
+          default-days: 7
       target-branch: 'main'
     - package-ecosystem: 'devcontainers'
       directory: '/'
       schedule:
           interval: 'weekly'
+      cooldown:
+          default-days: 7
       target-branch: 'main'

.github/workflows/codeql-analysis.yml

@@ -21,15 +21,16 @@ on:
     schedule:
         - cron: '35 14 * * 3'
 
-permissions:
-    actions: read
-    contents: read
-    security-events: write
+permissions: {}
 
 jobs:
     analyze:
         name: Analyze
         runs-on: ubuntu-latest
+        permissions:
+            actions: read
+            contents: read
+            security-events: write
 
         strategy:
             fail-fast: false
@@ -39,6 +40,8 @@ jobs:
         steps:
             - name: Checkout repository
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
 
             # Initializes the CodeQL tools for scanning.
             - name: Initialize CodeQL

.github/workflows/deploy-docs.yml

@@ -3,12 +3,19 @@ on:
     push:
         branches:
             - main
+
+permissions: {}
+
 jobs:
     build-and-deploy-docs:
         runs-on: ubuntu-latest
+        permissions:
+            contents: write
         steps:
             - name: Checkout
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
             - name: Setup Node.js
               uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:

.github/workflows/generate-javascript.yml

@@ -20,10 +20,12 @@ jobs:
         runs-on: ubuntu-latest
         permissions:
             contents: write # Push generated branch
-            pull-requests: write # Create PR via repo-sync/pull-request
+            pull-requests: write # Create PR via gh CLI
         steps:
             - name: Checkout Javascript
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
             - name: Setup Node
               uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
@@ -50,13 +52,19 @@ jobs:
                   # we modify the settings file in "Generate Openapi" but do not want to commit this
                   git reset settings
                   git commit -s -m "Automated openapi generation from ${KUBERNETES_BRANCH}"
+                  git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
                   git push origin "$BRANCH"
               env:
                   KUBERNETES_BRANCH: ${{ github.event.inputs.kubernetesBranch }}
-            - name: Pull Request
-              uses: repo-sync/pull-request@7e79a9f5dc3ad0ce53138f01df2fad14a04831c5 # v2.12.1
-              with:
-                  source_branch: ${{ env.BRANCH }}
-                  destination_branch: ${{ github.ref_name }}
-                  github_token: ${{ secrets.GITHUB_TOKEN }}
-                  pr_title: 'Automated Generate from openapi ${{ github.event.inputs.kubernetesBranch }}'
+                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+            - name: Create Pull Request
+              run: |
+                  gh pr create \
+                    --base "${BASE_BRANCH}" \
+                    --head "$BRANCH" \
+                    --title "Automated Generate from openapi ${KUBERNETES_BRANCH}" \
+                    --body "Automated openapi generation from ${KUBERNETES_BRANCH}"
+              env:
+                  KUBERNETES_BRANCH: ${{ github.event.inputs.kubernetesBranch }}
+                  BASE_BRANCH: ${{ github.ref_name }}
+                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml

@@ -36,6 +36,8 @@ jobs:
         steps:
             - name: Checkout Javascript
               uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
             - name: Setup Node
               uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
@@ -62,6 +64,8 @@ jobs:
             - name: Push tag
               if: ${{ github.event.inputs.dry_run != 'true' }}
               run: |
+                  git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
                   git push origin "${RELEASE_VERSION}"
               env:
                   RELEASE_VERSION: ${{ github.event.inputs.releaseVersion }}
+                  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/test.yml

@@ -6,15 +6,21 @@ on:
     pull_request:
         branches: [master, main]
 
+permissions: {}
+
 jobs:
     build:
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
         strategy:
             matrix:
                 node: ['25', '24', '23', '22', '20', '18']
         name: Node ${{ matrix.node }} validation
         steps:
             - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+              with:
+                  persist-credentials: false
             - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
               with:
                   node-version: ${{ matrix.node }}
@@ -48,3 +54,4 @@ jobs:
               with:
                   advanced-security: false
                   persona: pedantic
+                  min-severity: medium