Clean up workflow files from Zizmor output

.github/workflows/_move_edd_db_scripts.yml

@@ -41,18 +41,19 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           token: ${{ steps.retrieve-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          persist-credentials: false
 
       - name: Get script prefix
         id: prefix
-        run: echo "prefix=$(date +'%Y-%m-%d')" >> $GITHUB_OUTPUT
+        run: echo "prefix=$(date +'%Y-%m-%d')" >> "$GITHUB_OUTPUT"
 
       - name: Check if any files in DB transition or finalization directories
         id: check-script-existence
         run: |
           if [ -f util/Migrator/DbScripts_transition/* -o -f util/Migrator/DbScripts_finalization/* ]; then
-            echo "copy_edd_scripts=true" >> $GITHUB_OUTPUT
+            echo "copy_edd_scripts=true" >> "$GITHUB_OUTPUT"
           else
-            echo "copy_edd_scripts=false" >> $GITHUB_OUTPUT
+            echo "copy_edd_scripts=false" >> "$GITHUB_OUTPUT"
           fi
 
   move-scripts:
@@ -70,17 +71,18 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: true
 
       - name: Generate branch name
         id: branch_name
         env:
           PREFIX: ${{ needs.setup.outputs.migration_filename_prefix }}
-        run: echo "branch_name=move_edd_db_scripts_$PREFIX" >> $GITHUB_OUTPUT
+        run: echo "branch_name=move_edd_db_scripts_$PREFIX" >> "$GITHUB_OUTPUT"
 
       - name: "Create branch"
         env:
           BRANCH: ${{ steps.branch_name.outputs.branch_name }}
-        run: git switch -c $BRANCH
+        run: git switch -c "$BRANCH"
 
       - name: Move scripts and finalization database schema
         id: move-files
@@ -120,7 +122,7 @@ jobs:
 
           # sync finalization schema back to dbo, maintaining structure
           rsync -r "$src_dir/" "$dest_dir/"
-          rm -rf $src_dir/*
+          rm -rf "${src_dir}/*"
 
           # Replace any finalization references due to the move
           find ./src/Sql/dbo -name "*.sql" -type f -exec sed -i \
@@ -131,7 +133,7 @@ jobs:
             moved_files="$moved_files \n $file"
           done
 
-          echo "moved_files=$moved_files" >> $GITHUB_OUTPUT
+          echo "moved_files=$moved_files" >> "$GITHUB_OUTPUT"
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -162,18 +164,20 @@ jobs:
 
       - name: Commit and push changes
         id: commit
+        env:
+          BRANCH_NAME: ${{ steps.branch_name.outputs.branch_name }}
         run: |
           git config --local user.email "[email protected]"
           git config --local user.name "bitwarden-devops-bot"
           if [ -n "$(git status --porcelain)" ]; then
             git add .
             git commit -m "Move EDD database scripts" -a
-            git push -u origin ${{ steps.branch_name.outputs.branch_name }}
-            echo "pr_needed=true" >> $GITHUB_OUTPUT
+            git push -u origin "${BRANCH_NAME}"
+            echo "pr_needed=true" >> "$GITHUB_OUTPUT"
           else
             echo "No changes to commit!";
-            echo "pr_needed=false" >> $GITHUB_OUTPUT
-            echo "### :mega: No changes to commit! PR was ommited." >> $GITHUB_STEP_SUMMARY
+            echo "pr_needed=false" >> "$GITHUB_OUTPUT"
+            echo "### :mega: No changes to commit! PR was ommited." >> "$GITHUB_STEP_SUMMARY"
           fi
 
       - name: Create PR for ${{ steps.branch_name.outputs.branch_name }}
@@ -195,7 +199,7 @@ jobs:
               Files moved:
               $(echo -e "$MOVED_FILES")
               ")
-          echo "pr_url=${PR_URL}" >> $GITHUB_OUTPUT
+          echo "pr_url=${PR_URL}" >> "$GITHUB_OUTPUT"
 
       - name: Notify Slack about creation of PR
         if: ${{ steps.commit.outputs.pr_needed == 'true' }}

.github/workflows/build.yml

@@ -28,6 +28,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up .NET
         uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
@@ -97,23 +98,24 @@ jobs:
         id: check-secrets
         run: |
           has_secrets=${{ secrets.AZURE_CLIENT_ID != '' }}
-          echo "has_secrets=$has_secrets" >> $GITHUB_OUTPUT
+          echo "has_secrets=$has_secrets" >> "$GITHUB_OUTPUT"
 
       - name: Check out repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Check branch to publish
         env:
           PUBLISH_BRANCHES: "main,rc,hotfix-rc"
         id: publish-branch-check
         run: |
-          IFS="," read -a publish_branches <<< $PUBLISH_BRANCHES
+          IFS="," read -a publish_branches <<< "$PUBLISH_BRANCHES"
           if [[ " ${publish_branches[*]} " =~ " ${GITHUB_REF:11} " ]]; then
-            echo "is_publish_branch=true" >> $GITHUB_ENV
+            echo "is_publish_branch=true" >> "$GITHUB_ENV"
           else
-            echo "is_publish_branch=false" >> $GITHUB_ENV
+            echo "is_publish_branch=false" >> "$GITHUB_ENV"
           fi
 
       - name: Set up .NET
@@ -209,16 +211,16 @@ jobs:
             IMAGE_TAG=dev
           fi
 
-          echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
-          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> $GITHUB_STEP_SUMMARY
+          echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
+          echo "### :mega: Docker Image Tag: $IMAGE_TAG" >> "$GITHUB_STEP_SUMMARY"
 
       - name: Set up project name
         id: setup
         run: |
           PROJECT_NAME=$(echo "${{ matrix.project_name }}" | awk '{print tolower($0)}')
           echo "Matrix name: ${{ matrix.project_name }}"
           echo "PROJECT_NAME: $PROJECT_NAME"
-          echo "project_name=$PROJECT_NAME" >> $GITHUB_OUTPUT
+          echo "project_name=$PROJECT_NAME" >> "$GITHUB_OUTPUT"
 
       - name: Generate image tags(s)
         id: image-tags
@@ -228,12 +230,12 @@ jobs:
           SHA: ${{ github.sha }}
         run: |
           TAGS="${_AZ_REGISTRY}/${PROJECT_NAME}:${IMAGE_TAG}"
-          echo "primary_tag=$TAGS" >> $GITHUB_OUTPUT
+          echo "primary_tag=$TAGS" >> "$GITHUB_OUTPUT"
           if [[ "${IMAGE_TAG}" == "dev" ]]; then
-            SHORT_SHA=$(git rev-parse --short ${SHA})
+            SHORT_SHA=$(git rev-parse --short "${SHA}")
             TAGS=$TAGS",${_AZ_REGISTRY}/${PROJECT_NAME}:dev-${SHORT_SHA}"
           fi
-          echo "tags=$TAGS" >> $GITHUB_OUTPUT
+          echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
 
       - name: Build Docker image
         id: build-artifacts
@@ -260,12 +262,13 @@ jobs:
           DIGEST: ${{ steps.build-artifacts.outputs.digest }}
           TAGS: ${{ steps.image-tags.outputs.tags }}
         run: |
-          IFS="," read -a tags <<< "${TAGS}"
-          images=""
-          for tag in "${tags[@]}"; do
-            images+="${tag}@${DIGEST} "
+          IFS=',' read -r -a tags_array <<< "${TAGS}"
+          images=()
+          for tag in "${tags_array[@]}"; do
+            images+=("${tag}@${DIGEST}")
           done
-          cosign sign --yes ${images}
+          cosign sign --yes "${images[@]}"
+          echo "images=${images[*]}" >> "$GITHUB_OUTPUT"
 
       - name: Scan Docker image
         id: container-scan
@@ -297,6 +300,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up .NET
         uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
@@ -309,7 +313,7 @@ jobs:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Log in to ACR - production subscription
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
 
       - name: Make Docker stubs
         if: |
@@ -332,26 +336,26 @@ jobs:
           STUB_OUTPUT=$(pwd)/docker-stub
 
           # Run setup
-          docker run -i --rm --name setup -v $STUB_OUTPUT/US:/bitwarden $SETUP_IMAGE \
+          docker run -i --rm --name setup -v "$STUB_OUTPUT/US:/bitwarden" "$SETUP_IMAGE" \
             /app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region US
-          docker run -i --rm --name setup -v $STUB_OUTPUT/EU:/bitwarden $SETUP_IMAGE \
+          docker run -i --rm --name setup -v "$STUB_OUTPUT/EU:/bitwarden" "$SETUP_IMAGE" \
             /app/Setup -stub 1 -install 1 -domain bitwarden.example.com -os lin -cloud-region EU
 
-          sudo chown -R $(whoami):$(whoami) $STUB_OUTPUT
+          sudo chown -R "$(whoami):$(whoami)" "$STUB_OUTPUT"
 
           # Remove extra directories and files
-          rm -rf $STUB_OUTPUT/US/letsencrypt
-          rm -rf $STUB_OUTPUT/EU/letsencrypt
-          rm $STUB_OUTPUT/US/env/uid.env $STUB_OUTPUT/US/config.yml
-          rm $STUB_OUTPUT/EU/env/uid.env $STUB_OUTPUT/EU/config.yml
+          rm -rf "$STUB_OUTPUT/US/letsencrypt"
+          rm -rf "$STUB_OUTPUT/EU/letsencrypt"
+          rm "$STUB_OUTPUT/US/env/uid.env" "$STUB_OUTPUT/US/config.yml"
+          rm "$STUB_OUTPUT/EU/env/uid.env" "$STUB_OUTPUT/EU/config.yml"
 
           # Create uid environment files
-          touch $STUB_OUTPUT/US/env/uid.env
-          touch $STUB_OUTPUT/EU/env/uid.env
+          touch "$STUB_OUTPUT/US/env/uid.env"
+          touch "$STUB_OUTPUT/EU/env/uid.env"
 
           # Zip up the Docker stub files
-          cd docker-stub/US; zip -r ../../docker-stub-US.zip *; cd ../..
-          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip *; cd ../..
+          cd docker-stub/US; zip -r ../../docker-stub-US.zip ./*; cd ../..
+          cd docker-stub/EU; zip -r ../../docker-stub-EU.zip ./*; cd ../..
 
       - name: Log out from Azure
         uses: bitwarden/gh-actions/azure-logout@main
@@ -423,6 +427,7 @@ jobs:
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up .NET
         uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1

.github/workflows/cleanup-after-pr.yml

@@ -22,7 +22,7 @@ jobs:
           client_id: ${{ secrets.AZURE_CLIENT_ID }}
 
       - name: Log in to Azure ACR
-        run: az acr login -n $_AZ_REGISTRY --only-show-errors
+        run: az acr login -n "$_AZ_REGISTRY" --only-show-errors
 
       ########## Remove Docker images ##########
       - name: Remove the Docker image from ACR
@@ -45,20 +45,20 @@ jobs:
               - Setup
               - Sso
         run: |
-          for SERVICE in $(echo "${{ env.SERVICES }}" | yq e ".services[]" - )
+          for SERVICE in $(echo "${SERVICES}" | yq e ".services[]" - )
           do
-            SERVICE_NAME=$(echo $SERVICE | awk '{print tolower($0)}')
+            SERVICE_NAME=$(echo "$SERVICE" | awk '{print tolower($0)}')
             IMAGE_TAG=$(echo "${REF}" | sed "s#/#-#g")  # slash safe branch name
 
             echo "[*] Checking if remote exists: $_AZ_REGISTRY/$SERVICE_NAME:$IMAGE_TAG"
             TAG_EXISTS=$(
-              az acr repository show-tags --name $_AZ_REGISTRY --repository $SERVICE_NAME \
-              | jq --arg $TAG "$IMAGE_TAG" -e '. | any(. == "$TAG")'
+              az acr repository show-tags --name "$_AZ_REGISTRY" --repository "$SERVICE_NAME" \
+              | jq --arg TAG "$IMAGE_TAG" -e '. | any(. == $TAG)'
             )
 
             if [[ "$TAG_EXISTS" == "true" ]]; then
               echo "[*] Tag exists. Removing tag"
-              az acr repository delete --name $_AZ_REGISTRY --image $SERVICE_NAME:$IMAGE_TAG --yes
+              az acr repository delete --name "$_AZ_REGISTRY" --image "$SERVICE_NAME:$IMAGE_TAG" --yes
             else
               echo "[*] Tag does not exist. No action needed"
             fi

.github/workflows/cleanup-rc-branch.yml

@@ -35,6 +35,8 @@ jobs:
         with:
           ref: main
           token: ${{ steps.retrieve-bot-secrets.outputs.github-pat-bitwarden-devops-bot-repo-scope }}
+          persist-credentials: false
+          fetch-depth: 0
 
       - name: Check if a RC branch exists
         id: branch-check
@@ -43,18 +45,18 @@ jobs:
           rc_branch_check=$(git ls-remote --heads origin rc | wc -l)
 
           if [[ "${hotfix_rc_branch_check}" -gt 0 ]]; then
-            echo "hotfix-rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
-            echo "name=hotfix-rc" >> $GITHUB_OUTPUT
+            echo "hotfix-rc branch exists." | tee -a "$GITHUB_STEP_SUMMARY"
+            echo "name=hotfix-rc" >> "$GITHUB_OUTPUT"
           elif [[ "${rc_branch_check}" -gt 0 ]]; then
-            echo "rc branch exists." | tee -a $GITHUB_STEP_SUMMARY
-            echo "name=rc" >> $GITHUB_OUTPUT
+            echo "rc branch exists." | tee -a "$GITHUB_STEP_SUMMARY"
+            echo "name=rc" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Delete RC branch
         env:
           BRANCH_NAME: ${{ steps.branch-check.outputs.name }}
         run: |
           if ! [[ -z "$BRANCH_NAME" ]]; then
-            git push --quiet origin --delete $BRANCH_NAME
-            echo "Deleted $BRANCH_NAME branch." | tee -a $GITHUB_STEP_SUMMARY
+            git push --quiet origin --delete "$BRANCH_NAME"
+            echo "Deleted $BRANCH_NAME branch." | tee -a "$GITHUB_STEP_SUMMARY"
           fi

.github/workflows/code-references.yml

@@ -19,9 +19,9 @@ jobs:
         id: check-secret-access
         run: |
           if [ "${{ secrets.AZURE_CLIENT_ID }}" != '' ]; then
-            echo "available=true" >> $GITHUB_OUTPUT;
+            echo "available=true" >> "$GITHUB_OUTPUT";
           else
-            echo "available=false" >> $GITHUB_OUTPUT;
+            echo "available=false" >> "$GITHUB_OUTPUT";
           fi
 
   refs:
@@ -37,6 +37,8 @@ jobs:
     steps:
       - name: Check out repository
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - name: Log in to Azure
         uses: bitwarden/gh-actions/azure-login@main
@@ -65,14 +67,14 @@ jobs:
 
       - name: Add label
         if: steps.collect.outputs.any-changed == 'true'
-        run: gh pr edit $PR_NUMBER --add-label feature-flag
+        run: gh pr edit "$PR_NUMBER" --add-label feature-flag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}
 
       - name: Remove label
         if: steps.collect.outputs.any-changed == 'false'
-        run: gh pr edit $PR_NUMBER --remove-label feature-flag
+        run: gh pr edit "$PR_NUMBER" --remove-label feature-flag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           PR_NUMBER: ${{ github.event.pull_request.number }}

.github/workflows/enforce-labels.yml

@@ -17,5 +17,5 @@ jobs:
       - name: Check for label
         run: |
           echo "PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged"
-          echo "### :x: PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged" >> $GITHUB_STEP_SUMMARY
+          echo "### :x: PRs with the hold, needs-qa or ephemeral-environment labels cannot be merged" >> "$GITHUB_STEP_SUMMARY"
           exit 1

.github/workflows/load-test.yml

@@ -63,13 +63,15 @@ jobs:
 
       # Datadog agent for collecting OTEL metrics from k6
       - name: Start Datadog agent
+        env:
+          DD_API_KEY: ${{ steps.get-kv-secrets.outputs.DD-API-KEY }}
         run: |
           docker run --detach \
             --name datadog-agent \
             -p 4317:4317 \
             -p 5555:5555 \
             -e DD_SITE=us3.datadoghq.com \
-            -e DD_API_KEY=${{ steps.get-kv-secrets.outputs.DD-API-KEY }} \
+            -e DD_API_KEY="${DD_API_KEY}" \
             -e DD_DOGSTATSD_NON_LOCAL_TRAFFIC=1 \
             -e DD_OTLP_CONFIG_RECEIVER_PROTOCOLS_GRPC_ENDPOINT=0.0.0.0:4317 \
             -e DD_HEALTH_PORT=5555 \