[DT-1122] Apply zizmor suggestions (#126)

* fix: implement zizmor suggestions

* fix: include mavenCentral in Gradle build

* fix: bumper needs to use git token

.github/workflows/build-and-test.yml

@@ -14,6 +14,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
@@ -56,6 +58,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
@@ -86,6 +90,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
@@ -127,6 +133,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up JDK 17
         uses: actions/setup-java@v2
         with:
@@ -202,6 +210,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/setup-java@v2
         with:

.github/workflows/nightly-perf-tests.yml

@@ -21,6 +21,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
 
       - name: Verify perf version matches dev
         run: |

.github/workflows/publish-branch-image.yml

@@ -13,6 +13,8 @@ jobs:
     steps:
       - name: Checkout code
         uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
@@ -52,19 +54,25 @@ jobs:
 
       - name: Construct docker image name and tag
         id: image-name
-        run: echo name=gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.tag.outputs.tag }} >> $GITHUB_OUTPUT
+        run: echo name="gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${GIT_TAG}" >> $GITHUB_OUTPUT
+        env:
+          GIT_TAG: ${{ steps.tag.outputs.tag }}
 
       - name: Add Google Cloud Profiler to Docker Image
         run: docker build ./service -t drshub:local
 
       - name: Build image locally with jib
         run: |
           ./gradlew --build-cache :service:jibDockerBuild \
-          --image=${{ steps.image-name.outputs.name }} \
+          --image="${IMAGE_NAME}" \
           -Djib.from.image=docker://drshub:local \
           -Djib.console=plain
+        env:
+          IMAGE_NAME: ${{ steps.image-name.outputs.name }}
       - name: Push GCR image
-        run: 'docker push ${{ steps.image-name.outputs.name }}'
+        run: docker push "${IMAGE_NAME}"
+        env:
+          IMAGE_NAME: ${{ steps.image-name.outputs.name }}
 
   report-to-sherlock:
     # Report new drshub version to Broad DevOps

.github/workflows/publish.yml

@@ -13,6 +13,8 @@ jobs:
       tag: ${{ steps.tag.outputs.tag }}
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - name: Set up JDK 17
         uses: actions/setup-java@v3
         with:
@@ -48,25 +50,31 @@ jobs:
 
       - name: Construct docker image name and tag
         id: image-name
-        run: echo name=gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${{ steps.tag.outputs.tag }} >> $GITHUB_OUTPUT
+        run: echo name="gcr.io/${GOOGLE_PROJECT}/${SERVICE_NAME}:${GIT_TAG}" >> $GITHUB_OUTPUT
+        env:
+          GIT_TAG: ${{ steps.tag.outputs.tag }}
 
       - name: Add Google Cloud Profiler to Docker Image
         run: docker build ./service -t drshub:local
 
       - name: Build image locally with jib
         run: |
           ./gradlew --build-cache :service:jibDockerBuild \
-          --image=${{ steps.image-name.outputs.name }} \
+          --image="${IMAGE_NAME}" \
           -Djib.from.image=docker://drshub:local \
           -Djib.console=plain
+        env:
+          IMAGE_NAME: ${{ steps.image-name.outputs.name }}
       - name: Run Trivy vulnerability scanner
         # Link to the github location of the action https://github.com/broadinstitute/dsp-appsec-trivy-action
         uses: broadinstitute/dsp-appsec-trivy-action@v1
         with:
           image: ${{ steps.image-name.outputs.name }}
 
       - name: Push GCR image
-        run: docker push ${{ steps.image-name.outputs.name }}
+        run: docker push "${IMAGE_NAME}"
+        env:
+          IMAGE_NAME: ${{ steps.image-name.outputs.name }}
 
   report-to-sherlock:
     # Report new drshub version to Broad DevOps

.github/workflows/tag.yml

@@ -61,7 +61,9 @@ jobs:
       - name: Echo tag to console
         if: ${{ (inputs.print-tag == 'true') || (github.event_name == 'workflow_dispatch') }}
         run: |
-          echo "Newly created version tag: '${{ steps.tag.outputs.new_tag }}'"
+          echo "Newly created version tag: '${NEW_TAG}'"
           echo "build.gradle"
           echo "==============="
           cat build.gradle
+        env:
+          NEW_TAG: ${{ steps.tag.outputs.new_tag }}

settings.gradle

@@ -7,6 +7,7 @@ pluginManagement {
 				}
 			}
 		}
+		mavenCentral()
 		maven {
 			url 'https://broadinstitute.jfrog.io/artifactory/plugins-snapshot'
 		}