chore(ci): address CI lint findings (#545)

This addresses all of zizmor's non-pedantic findings, and adds a workflow to proactively flag any more that come in. Key changes: * I've hash-pinned all actions references. Dependabot will continue to keep these updated and will update the hash comments as well. * I've marked every `actions/checkout` with `persist-credentials: false` except for one that actually needs persisted credentials (which I've explicitly enabled with an explanatory comment) * I've dropped some workflow-level permissions in favor of job-level permissions that were already provisioned. * I fixed two small template injections caused by expanding output contexts. I think these were not exploitable in practice, but fixing them is good for defense in depth (and makes spellcheck work nicely on these steps). --------- Signed-off-by: William Woodruff <william@astral.sh>
2025-12-23 11:01:03 +00:00 · 2025-09-02 09:29:06 -04:00
parent 557e51de59
commit b1836110f7
5 changed files with 139 additions and 45 deletions
--- a/.github/workflows/codeql-analysis.yml
+++ b/.github/workflows/codeql-analysis.yml
@@ -21,6 +21,8 @@ on:
    branches:
      - main

+permissions: {}
+
 jobs:
  analyze:
    name: Analyze
@@ -39,11 +41,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v5
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11
        with:
          languages: ${{ matrix.language }}
          source-root: src
@@ -55,7 +59,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 https://git.io/JvXDl
@@ -69,4 +73,4 @@ jobs:
      #   make release

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.11