chore(ci): address CI lint findings (#545)

This addresses all of zizmor's non-pedantic findings, and adds a workflow to proactively flag any more that come in. Key changes: * I've hash-pinned all actions references. Dependabot will continue to keep these updated and will update the hash comments as well. * I've marked every `actions/checkout` with `persist-credentials: false` except for one that actually needs persisted credentials (which I've explicitly enabled with an explanatory comment) * I've dropped some workflow-level permissions in favor of job-level permissions that were already provisioned. * I fixed two small template injections caused by expanding output contexts. I think these were not exploitable in practice, but fixing them is good for defense in depth (and makes spellcheck work nicely on these steps). --------- Signed-off-by: William Woodruff <william@astral.sh>
2025-12-23 11:01:03 +00:00 · 2025-09-02 09:29:06 -04:00
parent 557e51de59
commit b1836110f7
5 changed files with 139 additions and 45 deletions
--- a/.github/workflows/update-known-versions.yml
+++ b/.github/workflows/update-known-versions.yml
@@ -4,6 +4,8 @@ on:
  schedule:
    - cron: "0 4 * * *" # Run every day at 4am UTC

+permissions: {}
+
 jobs:
  build:
    runs-on: ubuntu-24.04-arm
@@ -11,8 +13,10 @@ jobs:
      contents: write
      pull-requests: write
    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
        with:
          node-version: "20"
      - name: Update known versions