chore: apply zizmor autofixes

[brynary]

Has not been verified yet

[qltysh]

All good ✅

[Copilot]

Pull request overview

This PR applies automated security fixes from zizmor, a GitHub Actions security linting tool. The changes focus on two main security improvements: adding persist-credentials: false to checkout actions to prevent credential exposure, and converting inline GitHub Actions expressions to environment variables to mitigate script injection vulnerabilities.

Key Changes

• Added persist-credentials: false to all actions/checkout steps across 13 workflow files
• Converted inline ${{ }} expressions in shell scripts to environment variables with proper env: blocks
• Renamed variable references to use shell syntax (${VAR}) instead of GitHub Actions expression syntax

Reviewed changes

Copilot reviewed 14 out of 14 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
.github/workflows/update_linter_versions.yml	Added persist-credentials: false to checkout action
.github/workflows/release_promote.yml	Converted S3 path expressions to environment variables
.github/workflows/release_installer.yml	Added credential persistence control and converted S3 paths to env vars
.github/workflows/release.yml	Added credential control and converted multiple expressions to env vars (has critical bugs)
.github/workflows/prepare_release.yml	Added persist-credentials: false to checkout action
.github/workflows/plugins.yml	Added persist-credentials: false to checkout action
.github/workflows/installer_test.yml	Added persist-credentials: false to checkout action
.github/workflows/fmt.yml	Added persist-credentials: false to checkout action
.github/workflows/docker.yml	Added credential control and converted digest/image expressions to env vars (has critical bug)
.github/workflows/cli_integration.yml	Added persist-credentials: false to checkout action
.github/workflows/cli.yml	Added persist-credentials: false to checkout action
.github/workflows/claude.yml	Added persist-credentials: false to checkout action
.github/workflows/changelog.yml	Added persist-credentials: false to checkout action
.github/workflows/build.yml	Added credential control and converted Homebrew formula expressions to env vars

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[qltysh]

Diff Coverage for macos-15: Not applicable. There was no coverage data reported for the files in this diff.

Total Coverage for macos-15: This PR will decrease coverage by 0.01%.

File Coverage Changes

Path	File Coverage Δ	Indirect
qlty-cli/src/auth/auth_flow.rs	-0.6	√
qlty-config/src/library.rs	-0.5	√
qlty-coverage/src/ci/github.rs	-0.3	√

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[qltysh]

Diff Coverage for ubuntu-latest: Not applicable. There was no coverage data reported for the files in this diff.

Total Coverage for ubuntu-latest: This PR will decrease coverage by 0.01%.

File Coverage Changes

Path	File Coverage Δ	Indirect
qlty-cli/src/auth/auth_flow.rs	-0.6	√
qlty-coverage/src/ci/github.rs	-0.3	√

🛟 Help

• Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

• Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

• File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

  • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

[Copilot]

Pull request overview

Copilot reviewed 14 out of 14 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

.github/workflows/docker.yml:1

• The conversion is incomplete. The expression ${{ env.REGISTRY }} was not converted to an environment variable like ${IMAGE_NAME} was. This creates an inconsistent pattern and the ${{ env.REGISTRY }} expression should be moved to the env block and referenced as ${REGISTRY} in the shell script.

name: Docker

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The variable $PRERELEASE_FLAG should be quoted to prevent word splitting issues when it's empty or contains spaces. Change to "$PRERELEASE_FLAG".