ci: resolve warnings and implement linter for GitHub Actions

.github/workflows/build-container.yml

@@ -41,12 +41,15 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Prepare variables
         id: prepare
+        env:
+          GITHUB_REPOSITORY_LC: ${{ github.repository }}
         run: |
           BRANCH_NAME=$(echo "${GITHUB_REF##*/}" | tr '[:upper:]' '[:lower:]')
-          REPO_NAME=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          REPO_NAME=$(echo "${GITHUB_REPOSITORY_LC}" | tr '[:upper:]' '[:lower:]')
           echo "tag=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
           echo "repo=${REPO_NAME}" >> "$GITHUB_OUTPUT"
 
@@ -85,12 +88,15 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Prepare variables
         id: prepare
+        env:
+          GITHUB_REPOSITORY_LC: ${{ github.repository }}
         run: |
           BRANCH_NAME=$(echo "${GITHUB_REF##*/}" | tr '[:upper:]' '[:lower:]')
-          REPO_NAME=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          REPO_NAME=$(echo "${GITHUB_REPOSITORY_LC}" | tr '[:upper:]' '[:lower:]')
           echo "tag=${BRANCH_NAME}" >> "$GITHUB_OUTPUT"
           echo "repo=${REPO_NAME}" >> "$GITHUB_OUTPUT"
 
@@ -128,6 +134,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
@@ -140,9 +147,13 @@ jobs:
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Create and push multi-arch manifest
+        env:
+          REPO_NAME: ${{ needs.build-amd64.outputs.repo }}
+          CONTAINER_NAME: ${{ inputs.name }}
+          BRANCH_TAG: ${{ needs.build-amd64.outputs.tag }}
         run: |
-          REPO="ghcr.io/${{ needs.build-amd64.outputs.repo }}/${{ inputs.name }}"
-          TAG="${{ needs.build-amd64.outputs.tag }}"
+          REPO="ghcr.io/${REPO_NAME}/${CONTAINER_NAME}"
+          TAG="${BRANCH_TAG}"
           HASH_TAG="${{ hashFiles(inputs.file) }}"
 
           # Create manifest from arch-specific images

.github/workflows/build-depends.yml

@@ -40,6 +40,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
           sparse-checkout: |
             ci/dash
             ci/test
@@ -52,8 +53,10 @@ jobs:
 
       - name: Compute cache key
         id: setup
+        env:
+          BUILD_TARGET: ${{ inputs.build-target }}
+          RUNS_ON: ${{ inputs.runs-on }}
         run: |
-          BUILD_TARGET="${{ inputs.build-target }}"
           source ./ci/dash/matrix.sh
           echo "DEP_OPTS=${DEP_OPTS}" >> "${GITHUB_OUTPUT}"
           echo "HOST=${HOST}" >> "${GITHUB_OUTPUT}"
@@ -62,7 +65,7 @@ jobs:
           echo "DEP_HASH=${DEP_HASH}" >> "${GITHUB_OUTPUT}"
           DOCKERFILE_HASH="${{ hashFiles('contrib/containers/ci/ci.Dockerfile', 'contrib/containers/ci/ci-slim.Dockerfile') }}"
           PACKAGES_HASH="${{ hashFiles('depends/packages/*', 'depends/Makefile') }}"
-          CACHE_KEY="depends-${DOCKERFILE_HASH}-${{ inputs.runs-on }}-${{ inputs.build-target }}-${DEP_HASH}-${PACKAGES_HASH}"
+          CACHE_KEY="depends-${DOCKERFILE_HASH}-${RUNS_ON}-${BUILD_TARGET}-${DEP_HASH}-${PACKAGES_HASH}"
           echo "cache-key=${CACHE_KEY}" >> "${GITHUB_OUTPUT}"
           echo "Cache key: ${CACHE_KEY}"
         shell: bash
@@ -101,6 +104,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Restore depends sources
         uses: actions/cache/restore@v5
@@ -127,9 +131,14 @@ jobs:
             depends-${{ hashFiles('contrib/containers/ci/ci.Dockerfile', 'contrib/containers/ci/ci-slim.Dockerfile') }}-${{ inputs.build-target }}-
 
       - name: Build depends
+        env:
+          HOST: ${{ needs.check-cache.outputs.host }}
+          DEP_OPTS: ${{ needs.check-cache.outputs.dep-opts }}
         run: |
-          export HOST="${{ needs.check-cache.outputs.host }}"
-          env ${{ needs.check-cache.outputs.dep-opts }} make -j$(nproc) -C depends
+          if [ "${HOST}" = "x86_64-apple-darwin" ]; then
+            ./contrib/containers/guix/scripts/setup-sdk
+          fi
+          env ${DEP_OPTS} make -j$(nproc) -C depends
 
       - name: Save depends cache
         uses: actions/cache/save@v5

.github/workflows/build-src.yml

@@ -48,16 +48,19 @@ jobs:
         with:
           ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 50
+          persist-credentials: false
 
       - name: Initial setup
         id: setup
+        env:
+          BUILD_TARGET: ${{ inputs.build-target }}
+          PR_BASE_SHA: ${{ github.event.pull_request.base.sha || '' }}
         run: |
           git config --global --add safe.directory "$PWD"
           git fetch -fu origin develop:develop
-          BUILD_TARGET="${{ inputs.build-target }}"
           source ./ci/dash/matrix.sh
           echo "HOST=${HOST}" >> $GITHUB_OUTPUT
-          echo "PR_BASE_SHA=${{ github.event.pull_request.base.sha || '' }}" >> $GITHUB_OUTPUT
+          echo "PR_BASE_SHA=${PR_BASE_SHA}" >> $GITHUB_OUTPUT
         shell: bash
 
       - name: Restore SDKs cache
@@ -77,10 +80,13 @@ jobs:
           fail-on-cache-miss: true
 
       - name: Rebuild depends prefix
+        env:
+          DEPENDS_HOST: ${{ inputs.depends-host }}
+          DEP_OPTS: ${{ inputs.depends-dep-opts }}
         run: |
           # Use the HOST and DEP_OPTS from the depends build, not this build-target
           # This ensures the build_id matches the cached packages
-          make -j$(nproc) -C depends HOST="${{ inputs.depends-host }}" ${{ inputs.depends-dep-opts }}
+          env ${DEP_OPTS} make -j$(nproc) -C depends HOST="${DEPENDS_HOST}"
         shell: bash
 
       - name: Restore ccache cache
@@ -93,12 +99,13 @@ jobs:
             ccache-${{ hashFiles('contrib/containers/ci/ci.Dockerfile', 'depends/packages/*') }}-${{ inputs.build-target }}-
 
       - name: Build source
+        env:
+          BUILD_TARGET: ${{ inputs.build-target }}
         run: |
           CCACHE_MAXSIZE="600M"
           CACHE_DIR="/cache"
           mkdir /output
           BASE_OUTDIR="/output"
-          BUILD_TARGET="${{ inputs.build-target }}"
           source ./ci/dash/matrix.sh
           ./ci/dash/build_src.sh
           ccache -X 9
@@ -129,9 +136,9 @@ jobs:
 
       - name: Run linters
         if: inputs.build-target == 'linux64_multiprocess'
+        env:
+          BUILD_TARGET: ${{ inputs.build-target }}
         run: |
-          CACHE_DIR="/cache"
-          export BUILD_TARGET="${{ inputs.build-target }}"
           source ./ci/dash/matrix.sh
           ./ci/dash/lint-tidy.sh
         shell: bash
@@ -148,16 +155,18 @@ jobs:
           key: ctcache-${{ hashFiles('contrib/containers/ci/ci.Dockerfile', 'depends/packages/*') }}-${{ inputs.build-target }}-${{ github.sha }}
 
       - name: Run unit tests
+        env:
+          BUILD_TARGET: ${{ inputs.build-target }}
         run: |
-          BUILD_TARGET="${{ inputs.build-target }}"
           source ./ci/dash/matrix.sh
           ./ci/dash/test_unittests.sh
         shell: bash
 
       - name: Bundle artifacts
         id: bundle
+        env:
+          BUILD_TARGET: ${{ inputs.build-target }}
         run: |
-          export BUILD_TARGET="${{ inputs.build-target }}"
           export BUNDLE_KEY="build-${BUILD_TARGET}-$(git rev-parse --short=8 HEAD)"
           find "build-ci/dashcore-${BUILD_TARGET}/src/" -name "*.a" -type f -delete
           find "build-ci/dashcore-${BUILD_TARGET}/src/" -name "*.o" -type f -delete

.github/workflows/build.yml

@@ -32,11 +32,15 @@ jobs:
     steps:
       - name: Check skip environment variables
         id: skip-check
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          SKIP_ON_PUSH: ${{ vars.SKIP_ON_PUSH }}
+          SKIP_ON_PR: ${{ vars.SKIP_ON_PR }}
         run: |
-          if [[ "${{ github.event_name }}" == "push" && "${{ vars.SKIP_ON_PUSH }}" != "" ]]; then
+          if [[ "${EVENT_NAME}" == "push" && "${SKIP_ON_PUSH}" != "" ]]; then
             echo "Skipping build on push due to SKIP_ON_PUSH environment variable"
             echo "skip=true" >> $GITHUB_OUTPUT
-          elif [[ "${{ github.event_name }}" == "pull_request_target" && "${{ vars.SKIP_ON_PR }}" != "" ]]; then
+          elif [[ "${EVENT_NAME}" == "pull_request_target" && "${SKIP_ON_PR}" != "" ]]; then
             echo "Skipping build on pull request due to SKIP_ON_PR environment variable"
             echo "skip=true" >> $GITHUB_OUTPUT
           else
@@ -46,6 +50,8 @@ jobs:
       - name: Checkout code
         if: ${{ steps.skip-check.outputs.skip == 'false' }}
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
 
       - name: Select runners
         id: select-runner

.github/workflows/cache-depends-sources.yml

@@ -12,6 +12,9 @@ on:
     # Run daily at 6 AM UTC on the default branch to keep cache warm
     - cron: '0 6 * * *'
 
+permissions:
+  contents: read
+
 jobs:
   cache-sources:
     name: Cache depends sources
@@ -23,6 +26,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           ref: ${{ github.event.pull_request.head.sha }}
+          persist-credentials: false
 
       - name: Check for cached sources
         id: cache-check

.github/workflows/clang-diff-format.yml

@@ -4,6 +4,10 @@ on:
   pull_request:
     branches:
       - develop
+
+permissions:
+  contents: read
+
 jobs:
   ClangFormat:
     runs-on: ubuntu-latest
@@ -12,6 +16,8 @@ jobs:
     steps:
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          persist-credentials: false
       - name: Fetch git
         run: git fetch --no-tags -fu origin develop:develop
       - name: Run Clang-Format-Diff.py

.github/workflows/guix-build.yml

@@ -1,10 +1,5 @@
 name: Guix Build
 
-permissions:
-  packages: write
-  id-token: write
-  attestations: write
-
 on:
   pull_request_target:
     types: [labeled]
@@ -13,9 +8,15 @@ on:
     # Run weekly at 3 AM UTC on Sunday on the default branch
     - cron: '0 3 * * 0'
 
+permissions:
+  contents: read
+
 jobs:
   build-image:
     runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: read
+      packages: write
     if: |
       (github.event_name == 'push' && (startsWith(github.ref, 'refs/tags/') || vars.RUN_GUIX_ON_ALL_PUSH == 'true')) ||
       contains(github.event.pull_request.labels.*.name, 'guix-build') ||
@@ -30,18 +31,21 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
           path: dash
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v4
 
       - name: Commit variables
         id: prepare
+        env:
+          GITHUB_REPOSITORY_LC: ${{ github.repository }}
         run: |
           echo "hash=$(sha256sum ./dash/contrib/containers/guix/Dockerfile | cut -d ' ' -f1)" >> $GITHUB_OUTPUT
           echo "host_user_id=$(id -u)" >> $GITHUB_OUTPUT
           echo "host_group_id=$(id -g)" >> $GITHUB_OUTPUT
           BRANCH_NAME=$(echo "${GITHUB_REF##*/}" | tr '[:upper:]' '[:lower:]')
-          REPO_NAME=$(echo "${{ github.repository }}" | tr '[:upper:]' '[:lower:]')
+          REPO_NAME=$(echo "${GITHUB_REPOSITORY_LC}" | tr '[:upper:]' '[:lower:]')
           echo "image-tag=${BRANCH_NAME}" >> $GITHUB_OUTPUT
           echo "repo-name=${REPO_NAME}" >> $GITHUB_OUTPUT
 
@@ -73,6 +77,10 @@ jobs:
     needs: build-image
     # runs-on: [ "self-hosted", "linux", "x64", "ubuntu-core" ]
     runs-on: ubuntu-24.04-arm
+    permissions:
+      contents: read
+      id-token: write
+      attestations: write
     strategy:
       matrix:
         build_target: [x86_64-linux-gnu, aarch64-linux-gnu, riscv64-linux-gnu, powerpc64-linux-gnu, x86_64-w64-mingw32, x86_64-apple-darwin, arm64-apple-darwin]
@@ -89,6 +97,7 @@ jobs:
           ref: ${{ github.event.pull_request.head.sha }}
           path: dash
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Cache depends sources
         uses: actions/cache@v5
@@ -118,14 +127,19 @@ jobs:
 
       - name: Run Guix build
         timeout-minutes: 480
+        env:
+          WORKSPACE: ${{ github.workspace }}
+          REPO_NAME: ${{ needs.build-image.outputs.repo-name }}
+          IMAGE_TAG: ${{ needs.build-image.outputs.image-tag }}
+          BUILD_TARGET: ${{ matrix.build_target }}
         run: |
           docker run --privileged -d --rm -t \
             --name guix-daemon \
-            -v ${{ github.workspace }}/dash:/src/dash \
-            -v ${{ github.workspace }}/.cache:/home/ubuntu/.cache \
+            -v "${WORKSPACE}/dash:/src/dash" \
+            -v "${WORKSPACE}/.cache:/home/ubuntu/.cache" \
             -w /src/dash \
-            ghcr.io/${{ needs.build-image.outputs.repo-name }}/dashcore-guix-builder:${{ needs.build-image.outputs.image-tag }} && \
-          docker exec guix-daemon bash -c 'HOSTS=${{ matrix.build_target }} /usr/local/bin/guix-start /src/dash'
+            "ghcr.io/${REPO_NAME}/dashcore-guix-builder:${IMAGE_TAG}" && \
+          docker exec guix-daemon bash -c "HOSTS=${BUILD_TARGET} /usr/local/bin/guix-start /src/dash"
 
       - name: Ensure build passes
         run: |
@@ -136,8 +150,11 @@ jobs:
 
       - name: Compute SHA256 checksums
         continue-on-error: true # It will complain on depending on only some hosts
+        env:
+          BUILD_TARGET: ${{ matrix.build_target }}
+          WORKSPACE: ${{ github.workspace }}
         run: |
-          HOSTS=${{ matrix.build_target }} ./dash/contrib/containers/guix/scripts/guix-check ${{ github.workspace }}/dash
+          HOSTS="${BUILD_TARGET}" ./dash/contrib/containers/guix/scripts/guix-check "${WORKSPACE}/dash"
 
       - name: Upload build artifacts
         uses: actions/upload-artifact@v6