chore(ci): address CI lint findings (#545)

This addresses all of zizmor's non-pedantic findings, and adds a workflow to proactively flag any more that come in. Key changes: * I've hash-pinned all actions references. Dependabot will continue to keep these updated and will update the hash comments as well. * I've marked every `actions/checkout` with `persist-credentials: false` except for one that actually needs persisted credentials (which I've explicitly enabled with an explanatory comment) * I've dropped some workflow-level permissions in favor of job-level permissions that were already provisioned. * I fixed two small template injections caused by expanding output contexts. I think these were not exploitable in practice, but fixing them is good for defense in depth (and makes spellcheck work nicely on these steps). --------- Signed-off-by: William Woodruff <william@astral.sh>
2025-12-23 11:01:03 +00:00 · 2025-09-02 09:29:06 -04:00
parent 557e51de59
commit b1836110f7
5 changed files with 139 additions and 45 deletions
--- a/.github/workflows/release-drafter.yml
+++ b/.github/workflows/release-drafter.yml
@@ -8,6 +8,8 @@ on:
    branches:
      - main

+permissions: {}
+
 jobs:
  update_release_draft:
    name: ✏️ Draft release
@@ -17,6 +19,6 @@ jobs:
      pull-requests: read
    steps:
      - name: 🚀 Run Release Drafter
-        uses: release-drafter/release-drafter@v6.1.0
+        uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5 # v6.1.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}