Additional bwwl+zizmor changes since merge

.github/workflows/cleanup-container-images.yml

@@ -16,11 +16,13 @@ jobs:
     steps:
       - name: Generate image tag to delete
         id: tag
+        env:
+          EVENT_REF: ${{ github.event.ref }}
         run: |
           # Sanitize deleted branch name to match build workflow tag generation
-          BRANCH_NAME="${{ github.event.ref }}"
+          BRANCH_NAME="${EVENT_REF}"
           IMAGE_TAG=$(echo "$BRANCH_NAME" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | cut -c1-128 | sed -E 's/[.-]$//')
-          echo "tag=$IMAGE_TAG" >> $GITHUB_OUTPUT
+          echo "tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT"
 
       - name: Delete container image version
         continue-on-error: true

.github/workflows/publish.yml

@@ -92,7 +92,7 @@ jobs:
             "ghcr.io/bitwarden/key-connector:$_RELEASE_VERSION"
 
           cosign verify \
-            --certificate-identity "${{ github.server_url }}/${{ github.workflow_ref }}" \
+            --certificate-identity "${GITHUB_SERVER_URL}/${GITHUB_WORKFLOW_REF}" \
             --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
             ghcr.io/bitwarden/key-connector:latest
 

.github/workflows/version-bump.yml

@@ -58,6 +58,7 @@ jobs:
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
         with:
           token: ${{ steps.app-token.outputs.token }}
+          persist-credentials: true
 
       - name: Set up Git
         run: |
@@ -88,8 +89,7 @@ jobs:
           fi
 
           # Check if version is newer.
-          printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V
+          if printf '%s\n' "${CURRENT_VERSION}" "${NEW_VERSION}" | sort -C -V; then
-          if [ $? -eq 0 ]; then
             echo "Version check successful."
           else
             echo "Version check failed."