Bump superlinter to v8.2.1

.github/linters/trivy.yaml

@@ -0,0 +1,3 @@
+scan:
+  skip-dirs:
+    - "vendor/*"

.github/workflows/base_image_update.yaml

@@ -27,6 +27,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install script dependencies
         run: pip install -r ./requirements.txt

.github/workflows/build_test_images.yaml

@@ -20,6 +20,8 @@ jobs:
     steps:
       - name: Check out the repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install script dependencies
         run: pip install -r ./requirements.txt
@@ -47,6 +49,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: Write OpenStack credentials
         run: echo "$OS_CLOUDS" > ./clouds.yaml
@@ -93,14 +96,18 @@ jobs:
         run: sudo apt-get -y install libguestfs-tools
 
       - name: mkdir for mount
-        run: sudo mkdir -p './${{ steps.publish-image.outputs.image-name }}'
+        run: sudo mkdir -p './${STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME}'
+        env:
+          STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME: ${{ steps.publish-image.outputs.image-name }}
 
       - name: mount qcow2 file
         run: >
           sudo guestmount -a
-          ${{ steps.publish-image.outputs.image-name }}.qcow2
+          "${STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME}.qcow2"
           -i --ro -o allow_other
-          './${{ steps.publish-image.outputs.image-name }}'
+          './${STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME}'
+        env:
+          STEPS_PUBLISH_IMAGE_OUTPUTS_IMAGE_NAME: ${{ steps.publish-image.outputs.image-name }}
 
       - name: Fail if scan has CRITICAL vulnerabilities
         uses: aquasecurity/[email protected]
@@ -139,6 +146,8 @@ jobs:
     steps:
       - name: Check out the repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Read matrix outputs
         id: matrix-outputs
@@ -252,6 +261,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install s3cmd
         run: |

.github/workflows/kubernetes_update.yaml

@@ -22,6 +22,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install script dependencies
         run: pip install -r ./requirements.txt
@@ -57,6 +59,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install script dependencies
         run: pip install -r ./requirements.txt
@@ -94,6 +98,7 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: recursive
+          persist-credentials: false
 
       - name: Check for most recent image-builder release
         id: next
@@ -106,8 +111,10 @@ jobs:
         working-directory: ./vendor/image-builder
 
       - name: Update image-builder submodule
-        run: git checkout ${{ steps.next.outputs.version }}
+        run: git checkout "${STEPS_NEXT_OUTPUTS_VERSION}"
         working-directory: ./vendor/image-builder
+        env:
+          STEPS_NEXT_OUTPUTS_VERSION: ${{ steps.next.outputs.version }}
 
       - name: Generate app token for PR
         uses: azimuth-cloud/github-actions/generate-app-token@master

.github/workflows/lint.yml

@@ -27,6 +27,7 @@ jobs:
           # list of files that changed across commits
           fetch-depth: 0
           submodules: true
+          persist-credentials: false
 
       - name: Run ansible-lint
         uses: ansible/[email protected]
@@ -41,7 +42,7 @@ jobs:
         if: always()
 
       - name: Run super-linter
-        uses: super-linter/super-linter@v7.3.0
+        uses: super-linter/super-linter@v8.2.1
         if: always()
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr.yaml

@@ -57,6 +57,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install s3cmd
         run: |

.github/workflows/purge_defunct_images.yaml

@@ -17,6 +17,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install script dependencies
         run: pip install -r ./requirements.txt

.github/workflows/tag.yaml

@@ -15,6 +15,8 @@ jobs:
     steps:
       - name: Check out the repository
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Install s3cmd
         run: |

.github/workflows/update-dependencies.yaml

@@ -87,6 +87,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Check for most recent GitHub release
         id: next

super-linter.env

@@ -18,3 +18,15 @@ VALIDATE_YAML_PRETTIER=false
 
 # Set to the default filename for yamllint
 YAML_CONFIG_FILE=.yamllint.yml
+
+# Don't validate python files with Black as it conflicts
+# with Ruff
+VALIDATE_PYTHON_BLACK=false
+
+# Don't validate files with Biome as it conflicts with
+# many other linters
+VALIDATE_BIOME_FORMAT=false
+VALIDATE_BIOME_LINT=false
+
+# Don't run Zizmor GHA linter and static analysis tool
+VALIDATE_GITHUB_ACTIONS_ZIZMOR=false