chore: address zizmor complaints (#2)

johnstcn · web-flow · commit 1730a16d8aa6 · 2025-11-06T10:36:36.000Z
diff --git a/test-workflow.yml b/test-workflow.yml
@@ -3,11 +3,15 @@ on: issues
 
 jobs:
   test-task-creation:
+    permissions:
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
-      
+        with:
+          persist-credentials: false
+
       - name: Test action - Create new task
         id: create_task
         uses: ./
@@ -22,30 +26,39 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           github-issue-url: ${{ github.event.issue.html_url }}
           comment-on-issue: "false"
-      
+
       - name: Verify outputs from create
+        env:
+          TASK_CREATED: ${{ steps.create_task.outputs.task-created }}
+          TASK_NAME: ${{ steps.create_task.outputs.task-name }}
+          TASK_URL: ${{ steps.create_task.outputs.task-url }}
+          CODER_USERNAME: ${{ steps.create_task.outputs.coder-username }}
         run: |
-          echo "Task created: ${{ steps.create_task.outputs.task-created }}"
-          echo "Task name: ${{ steps.create_task.outputs.task-name }}"
-          echo "Task URL: ${{ steps.create_task.outputs.task-url }}"
-          echo "Coder username: ${{ steps.create_task.outputs.coder-username }}"
-          
-          # Verify outputs are not empty
-          if [ -z "${{ steps.create_task.outputs.task-name }}" ]; then
-            echo "ERROR: task-name output is empty"
+          echo "Task created: ${TASK_CREATED}"
+          echo "Task name: ${TASK_NAME}"
+          echo "Task URL: ${TASK_URL}"
+          echo "Coder username: ${CODER_USERNAME}"
+
+          # Verify outputs. These need to be kept in sync with test-event.json
+          if [[ ${TASK_CREATED} != "true" ]]; then
+            echo "ERROR: task-created output should be true"
             exit 1
           fi
-          if [ -z "${{ steps.create_task.outputs.task-url }}" ]; then
-            echo "ERROR: task-url output is empty"
+          if [[ ${TASK_NAME} != "integration-test-1" ]]; then
+            echo "ERROR: task-name output mismatch"
             exit 1
           fi
-          if [ -z "${{ steps.create_task.outputs.coder-username }}" ]; then
-            echo "ERROR: coder-username output is empty"
+          if [[ ${CODER_USERNAME} != "testuser" ]]; then
+            echo "ERROR: coder-username output mismatch"
             exit 1
           fi
-          
-          echo "✅ All outputs present"
-      
+          if [[ ! ${TASK_URL} =~ /tasks/${CODER_USERNAME}/[a-f0-9-]+$ ]]; then
+            echo "ERROR: task-url output does not match expected format"
+            exit 1
+          fi
+
+          echo "✅ All outputs verified"
+
       - name: Test action - Update existing task
         id: update_task
         uses: ./
@@ -60,24 +73,48 @@ jobs:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           github-issue-url: ${{ github.event.issue.html_url }}
           comment-on-issue: "false"
-      
+
       - name: Verify outputs from update
+        env:
+          PREV_TASK_NAME: ${{ steps.create_task.outputs.task-name }}
+          PREV_TASK_URL: ${{ steps.create_task.outputs.task-url }}
+          PREV_CODER_USERNAME: ${{ steps.create_task.outputs.coder-username }}
+          TASK_CREATED: ${{ steps.update_task.outputs.task-created }}
+          TASK_NAME: ${{ steps.update_task.outputs.task-name }}
+          TASK_URL: ${{ steps.update_task.outputs.task-url }}
+          CODER_USERNAME: ${{ steps.update_task.outputs.coder-username }}
         run: |
-          echo "Task created: ${{ steps.update_task.outputs.task-created }}"
-          echo "Task name: ${{ steps.update_task.outputs.task-name }}"
-          
+          echo "Task created: ${TASK_CREATED}"
+          echo "Task name: ${TASK_NAME}"
+          echo "Task URL: ${TASK_URL}"
+          echo "Coder username: ${CODER_USERNAME}"
+
           # Verify task was not created (should be false for update)
-          if [ "${{ steps.update_task.outputs.task-created }}" != "false" ]; then
-            echo "ERROR: Expected task-created to be false for update, got: ${{ steps.update_task.outputs.task-created }}"
+          if [[ "${TASK_CREATED}" != "false" ]]; then
+            echo "ERROR: Expected task-created to be false for update, got: ${TASK_CREATED}"
             exit 1
           fi
-          
-          # Verify task names match (same task)
-          if [ "${{ steps.create_task.outputs.task-name }}" != "${{ steps.update_task.outputs.task-name }}" ]; then
+
+          # Verify other outputs match previous
+          if [[ ${PREV_TASK_NAME} != "${TASK_NAME}" ]]; then
             echo "ERROR: Task names don't match"
-            echo "  Create: ${{ steps.create_task.outputs.task-name }}"
-            echo "  Update: ${{ steps.update_task.outputs.task-name }}"
+            echo "  Create: ${PREV_TASK_NAME}"
+            echo "  Update: ${TASK_NAME}"
+            exit 1
+          fi
+
+          if [[ ${PREV_TASK_URL} != "${TASK_URL}" ]]; then
+            echo "ERROR: Task URLs don't match"
+            echo "  Create: ${PREV_TASK_URL}"
+            echo "  Update: ${TASK_URL}"
             exit 1
           fi
-          
+
+          if [[ ${PREV_CODER_USERNAME} != "${CODER_USERNAME}" ]]; then
+            echo "ERROR: Coder usernames don't match"
+            echo "  Create: ${PREV_CODER_USERNAME}"
+            echo "  Update: ${CODER_USERNAME}"
+            exit 1
+          fi
+
           echo "✅ Update task behavior verified"
