Security/867 fix linting results part 2

.github/actions/python-environment/action.yml

@@ -44,7 +44,7 @@ runs:
 
     - name: Set up Poetry (${{ inputs.poetry-version }})
       shell: bash
-      run: |
+      run: | # zizmor: ignore[github-env] - This shared action is used by many workflows, and downstream steps need `poetry` on PATH; we do not have a safer replacement yet.
         POETRY_VERSION="${INPUTS_POETRY_VERSION}" "$PYTHON_BINARY" "${{ github.action_path }}/ext/get_poetry.py"
         echo "$HOME/.local/bin" >> $GITHUB_PATH
       env:

.github/actions/security-issues/action.yml

@@ -43,13 +43,17 @@ runs:
 
     - name: Create Security Issue Report
       shell: bash
+      env:
+        SECURITY_COMMAND: ${{ inputs.command }}
       run: |
-        ${{ inputs.command }} | tee input
+        bash -euo pipefail -c "$SECURITY_COMMAND" | tee input
 
     - name: Convert Report To Common Input Format
       shell: bash
+      env:
+        SECURITY_FORMAT: ${{ inputs.format }}
       run: |
-        tbx security cve convert ${{inputs.format}} < input | tee cves.jsonl
+        tbx security cve convert "$SECURITY_FORMAT" < input | tee cves.jsonl
 
     - name: Filter Issues
       env:
@@ -62,9 +66,10 @@ runs:
     - name: Create Issues
       env:
         GH_TOKEN: ${{ inputs.github-token }}
+        SECURITY_PROJECT: ${{ inputs.project }}
       shell: bash
       run: |
-        tbx security cve create --project "${{ inputs.project }}" < issues.jsonl | tee created.jsonl
+        tbx security cve create --project "$SECURITY_PROJECT" < issues.jsonl | tee created.jsonl
 
     - name: Define Output Parameter
       id: get-created-issues

.github/zizmor.yml

@@ -1,15 +1,9 @@
 rules:
-  github-env:
-    disable: true
-  secrets-inherit:
-    disable: true
-  template-injection:
-    disable: true
   unpinned-uses:
+    # Official GitHub actions & ones maintained by us may use a referential pin.
+    # Third party GitHub actions must be defined with an SHA hash.
     config:
       policies:
         "actions/*": ref-pin
         exasol/python-toolbox/.github/actions/python-environment: ref-pin
         "*": hash-pin
-  use-trusted-publishing:
-    disable: true

doc/changes/unreleased.md

@@ -1,3 +1,7 @@
 # Unreleased
 
 ## Summary
+
+## Security
+
+* #867: Fixed zizmor linting results

exasol/toolbox/templates/github/workflows/build-and-publish.yml

@@ -36,7 +36,7 @@ jobs:
         env:
           POETRY_HTTP_BASIC_PYPI_USERNAME: "__token__"
           POETRY_HTTP_BASIC_PYPI_PASSWORD: "${{ secrets.PYPI_TOKEN }}"
-        run: poetry publish
+        run: poetry publish # zizmor: ignore[use-trusted-publishing] - Trusted Publishing is not usable from this reusable workflow yet; see https://github.com/exasol/python-toolbox/issues/871
 
       - name: Publish Release to GitHub
         id: publish-release-to-github

exasol/toolbox/templates/github/workflows/cd.yml

@@ -27,7 +27,9 @@ jobs:
   (% if workflow_extension.cd %)
   cd-extension:
     uses: ./.github/workflows/cd-extension.yml
-    secrets: inherit
+    needs:
+      - check-release-tag
+    secrets: inherit # zizmor: ignore[secrets-inherit] - PTB cannot customize inherited secrets here yet; tracked in https://github.com/exasol/python-toolbox/issues/872.
     permissions:
       contents: write
   (% endif %)

exasol/toolbox/templates/github/workflows/ci.yml

@@ -9,7 +9,7 @@ jobs:
   merge-gate:
     name: Merge Gate
     uses: ./.github/workflows/merge-gate.yml
-    secrets: inherit
+    secrets: inherit # zizmor: ignore[secrets-inherit] - PTB cannot customize inherited secrets here yet; tracked in https://github.com/exasol/python-toolbox/issues/872.
     permissions:
       contents: read