dave2wave commented on issue #7:
URL: https://github.com/apache/tooling-actions/issues/7#issuecomment-4106818999
From ChatGPT:
Yeah—this one is a bit surprising at first glance, because you *are* using
`env:` correctly for the secrets. The issue isn’t the secrets themselves—it’s
this line:
```yaml
NJORD_STORE: atr-deployment-${{ inputs.distribution-package }}-${{
inputs.distribution-version }}
```
## What zizmor is actually complaining about
In newer versions, zizmor’s **“secrets outside env”** rule also covers a
broader category:
> **Any expression interpolation inside `env:` that mixes runtime values
(`inputs`, `github`, etc.)**
Why? Because:
* `${{ ... }}` is evaluated **before the job runs** (workflow expression
phase)
* `env:` is supposed to be a **runtime injection boundary**
* Mixing evaluated expressions into `env:` can:
* create confusing data flow
* accidentally propagate secrets or sensitive values via string composition
* blur the line between *compile-time* and *runtime* data
So even though your secrets are fine, zizmor flags the *pattern class*.
---
## Why your specific line triggers it
```yaml
NJORD_STORE: atr-deployment-${{ inputs.distribution-package }}-${{
inputs.distribution-version }}
```
This is:
* Not a secret
* But **still an interpolated expression inside `env:`**
zizmor treats this similarly to:
```yaml
ENV_VAR: ${{ something.dynamic }}
```
---
## Recommended fix (zizmor-clean)
Move expression evaluation into a step, and keep `env:` static or
secret-only.
### Option 1 — Compute at runtime (preferred)
```yaml
steps:
- name: Compute NJORD_STORE
run: |
echo "NJORD_STORE=atr-deployment-${{ inputs.distribution-package
}}-${{ inputs.distribution-version }}" >> $GITHUB_ENV
```
Then use it normally later:
```yaml
- run: echo "$NJORD_STORE"
```
---
### Option 2 — Inline at usage (simpler)
If only used once:
```yaml
- run: |
STORE="atr-deployment-${{ inputs.distribution-package }}-${{
inputs.distribution-version }}"
echo "$STORE"
```
---
### Option 3 — Accept and suppress (reasonable here)
This is honestly a **low-risk case**, because:
* No secrets involved in `NJORD_STORE`
* Inputs are controlled
* No third-party action exposure
If you prefer readability:
```yaml
# zizmor: ignore[secrets-outside-env]
NJORD_STORE: atr-deployment-${{ inputs.distribution-package }}-${{
inputs.distribution-version }}
```
---
## Important: your secrets usage is already correct
These are **good and should not be changed**:
```yaml
CENTRAL_USERNAME: ${{ secrets.CENTRAL_USERNAME }}
CENTRAL_PASSWORD: ${{ secrets.CENTRAL_PASSWORD }}
```
They follow best practice:
* injected via `env`
* consumed at runtime
* not exposed in `run:` expressions
---
## Practical guidance
For a repo like yours:
* **Strict mode (fully clean):**
* Only literals + `${{ secrets.* }}` in `env:`
* Move everything else to `$GITHUB_ENV`
* **Pragmatic mode (recommended):**
* Allow `${{ inputs.* }}` in `env:`
* Suppress zizmor for those lines
* Keep strict rules for anything involving secrets
---
If you want, I can rewrite your entire workflow to be:
* zizmor-clean
* minimal duplication
* still readable (this is where most “secure” rewrites get ugly fast)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
