From ab458d1feed23346f061e119c9a9e38e298f80c6 Mon Sep 17 00:00:00 2001
From: mattip <matti.picus@gmail.com>
Date: Sun, 8 Dec 2024 09:32:55 +0200
Subject: [PATCH] audit workflows via zizmor and correct use of env variables

---
 .github/workflows/create-translations-pr.yml | 13 +++++++++----
 .github/workflows/gh-pages.yml               |  7 ++++---
 2 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/create-translations-pr.yml b/.github/workflows/create-translations-pr.yml
index 3804511d42..c692fe920f 100644
--- a/.github/workflows/create-translations-pr.yml
+++ b/.github/workflows/create-translations-pr.yml
@@ -22,6 +22,7 @@ jobs:
           fetch-depth: 0  # Gets full github history.
           # Full history is needed for the scripted interactive rebase
           # which takes place in create_branch_for_language.sh below.
+          persist-credentials: false
 
       - name: Checkout scientific-python-translations automations
         uses: actions/checkout@v4
@@ -29,25 +30,29 @@ jobs:
           repository: 'scientific-python-translations/automations'
           path: 'automations'
           ref: 'main'
+          persist-credentials: false
 
       - name: Create translations branch for language of interest
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          LANG: ${{ github.event.inputs.language_code }}
         run: |
           git config --global user.email "actions@github.com"
           git config --global user.name "GitHub Actions"
-          ../automations/scripts/create_branch_for_language.sh origin main l10n_main ${{ github.event.inputs.language_code }}
+          ../automations/scripts/create_branch_for_language.sh origin main l10n_main "$LANG"
           branch_name=$(git rev-parse --abbrev-ref HEAD)
-          git push -u origin $branch_name
+          git push -u origin "$branch_name"
           echo "BRANCH_NAME=$branch_name" >> $GITHUB_ENV
         working-directory: ./numpy.org
 
       - name: Create Pull Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH_NAME: ${{ env.BRANCH_NAME }}
+          LANG: ${{ github.event.inputs.language_code }}
         run: |
-          language_name=$(../automations/scripts/get_language_name.sh ${{ github.event.inputs.language_code }})
-          gh pr create --base main --head ${{ env.BRANCH_NAME }} --title "Update translations for $language_name" \
+          language_name=$(../automations/scripts/get_language_name.sh "$LANG")
+          gh pr create --base main --head "$BRANCH_NAME" --title "Update translations for $language_name" \
           --body "This PR to update translations for $language_name was generated by the GitHub workflow, \
           auto-translations-pr.yml and includes all commits from this repo's Crowdin branch for the language \
           of interest. A final check of the rendered docs is needed to identify if there are any formatting \
diff --git a/.github/workflows/gh-pages.yml b/.github/workflows/gh-pages.yml
index 822b8e19df..8d29fe655a 100644
--- a/.github/workflows/gh-pages.yml
+++ b/.github/workflows/gh-pages.yml
@@ -21,8 +21,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
+          persist-credentials: false
           submodules: recursive
           fetch-depth: 0
 
@@ -38,8 +39,8 @@ jobs:
         env:
           HUGO_VERSION: ${{ steps.hugo-version.outputs.HUGO_VERSION }}
         run: |
-          wget -O ${{ runner.temp }}/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
-          && sudo dpkg -i ${{ runner.temp }}/hugo.deb
+          wget -O /tmp/hugo.deb https://github.com/gohugoio/hugo/releases/download/v${HUGO_VERSION}/hugo_extended_${HUGO_VERSION}_linux-amd64.deb \
+          && sudo dpkg -i /tmp/hugo.deb
 
       - name: Install Dart Sass
         env: