chore: run zizmor on workflows and fix issues (#366)

I ran `zizmor .` and had an agent work through the changes. The changes
included,

- SHA pinning
- Removing template injection risks
- Minimizing permissions and scoping to just needed
- Removing some caching, leaving other caching in place since it's
guarded reasonably well
- Adding `persist_credentials: false` to actions/checkout steps
- Switching on pull_request_target workflow to pull_request which runs
with lesser permissions

Author: amoeba

.github/workflows/deploy.yml

@@ -58,10 +58,13 @@ jobs:
 
       - name: Download release artifacts
         run: |
-          gh release download ${{ inputs.release_tag }} --repo ${{ github.repository }}
+          gh release download "${RELEASE_TAG}" --repo "${GITHUB_REPOSITORY}"
         env:
+          RELEASE_TAG: ${{ inputs.release_tag }}
           GH_TOKEN: ${{ github.token }}
 
       - name: Upload artifacts
         run: |
-          aws s3 cp . s3://dbc-distribution/${{ inputs.release_tag }} --recursive
+          aws s3 cp . "s3://dbc-distribution/${RELEASE_TAG}" --recursive
+        env:
+          RELEASE_TAG: ${{ inputs.release_tag }}

.github/workflows/dev.yml

@@ -28,16 +28,18 @@ jobs:
     name: Run pre-commit hooks
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-python@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.x'
 
       - name: Install pre-commit
         run: pip install pre-commit
 
       - name: Cache pre-commit
-        uses: actions/cache@v5
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.cache/pre-commit
           key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }}

.github/workflows/dev_pr.yml

@@ -15,7 +15,7 @@
 name: Dev PR
 
 on:
-  pull_request_target:
+  pull_request:
     types: [opened, edited, synchronize, ready_for_review, review_requested]
 
 permissions:
@@ -27,14 +27,18 @@ jobs:
     name: Check PR Title
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version: '18'
       - name: Install commitlint
         run: |
           npm install @commitlint/cli @commitlint/config-conventional
       - name: Check PR title follows conventional commits spec
         run: |
-          echo "${{ github.event.pull_request.title }}" | npx commitlint --extends @commitlint/config-conventional
+          echo "${PR_TITLE}" | npx commitlint --extends @commitlint/config-conventional
+        env:
+          PR_TITLE: ${{ github.event.pull_request.title }}

.github/workflows/go.yml

@@ -46,7 +46,9 @@ jobs:
         # macos-15 is intel macos while macos-latest is arm64
         os: [ 'ubuntu-latest', 'windows-latest', 'macos-latest', 'macos-15' ]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
       - name: Install Go
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
         with:

.github/workflows/integration.yml

@@ -48,7 +48,9 @@ jobs:
       matrix:
         os: ["ubuntu-latest", "macos-latest", "windows-latest"]
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
 
       - name: Install Go
         uses: actions/setup-go@f111f3307d8850f501ac008e886eec1fd1932a34 # v5.3.0
@@ -58,7 +60,7 @@ jobs:
           cache-dependency-path: go.sum
 
       - name: Install Python
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: "3.13"
 

.github/workflows/publish_docs.yml

@@ -23,24 +23,30 @@ concurrency:
   group: "pages"
   cancel-in-progress: true
 
+permissions: {}
+
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
+        with:
+          persist-credentials: false
       - uses: prefix-dev/setup-pixi@82d477f15f3a381dbcc8adc1206ce643fe110fb7
         with:
           pixi-version: v0.59.0
           cache: true
           environments: docs
-      - uses: actions/cache@v4
+      - uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         with:
           key: mkdocs-material-${{ github.ref }}
           path: ~/.cache
       - name: Build site
         run: pixi run -e docs mkdocs build --strict
       - name: Upload built site as artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
         with:
           path: ./site
 
@@ -57,4 +63,4 @@ jobs:
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5

.github/workflows/publish_install_script.yml

@@ -37,7 +37,9 @@ jobs:
     environment: production
 
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+        with:
+          persist-credentials: false
       - name: AWS Login
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a  # v4.3.1
         with:
@@ -50,5 +52,7 @@ jobs:
           aws sts get-caller-identity
       - name: Upload install.sh
         run: |
-          aws s3 cp scripts/install.sh s3://${{ vars.AWS_BUCKET }}/install.sh
-          aws s3 cp scripts/install.ps1 s3://${{ vars.AWS_BUCKET }}/install.ps1
+          aws s3 cp scripts/install.sh "s3://${AWS_BUCKET}/install.sh"
+          aws s3 cp scripts/install.ps1 "s3://${AWS_BUCKET}/install.ps1"
+        env:
+          AWS_BUCKET: ${{ vars.AWS_BUCKET }}

.github/workflows/release.yml

@@ -20,19 +20,20 @@ on:
       - "v*"
   pull_request:
 
-permissions:
-  contents: write
-  id-token: write # For AWS auth
+permissions: {}
 
 jobs:
   snapshot:
     runs-on: ubuntu-latest
     environment: snapshot
     if: github.event_name == 'pull_request' && !github.event.pull_request.head.repo.fork
+    permissions:
+      contents: read
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
@@ -67,19 +68,19 @@ jobs:
           gpg-connect-agent "PRESET_PASSPHRASE $KEYGRIP -1 $(echo -n '${{ secrets.SIGNING_PASSWORD }}' | od -An -t x1 | tr -d ' ')"
 
       - name: "Set up Python"
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
 
       - name: Install Wheel
         run: pip install wheel
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Run GoReleaser Snapshot
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
@@ -94,7 +95,7 @@ jobs:
           SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }}
 
       - name: Upload Snapshot Artifacts
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: snapshot-artifacts
           path: |
@@ -111,14 +112,19 @@ jobs:
     runs-on: ubuntu-latest
     environment: production
     if: github.event_name == 'push'
+    permissions:
+      contents: write
+      id-token: write # For AWS auth
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Set up Go
         uses: actions/setup-go@7a3fe6cf4cb3a834922a1244abfce67bcef6a0c5 # v6.2.0
         with:
           go-version-file: './go.mod'
+          cache: false
 
       # pull more recent version of wixl than in the ubuntu repos
       # needed for Path Env update support
@@ -156,10 +162,12 @@ jobs:
           aws-region: ${{ vars.AWS_REGION }}
 
       - name: "Set up Python"
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v6
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        with:
+          enable-cache: false
 
       - name: Install Wheel
         run: pip install wheel
@@ -171,10 +179,10 @@ jobs:
           password: ${{ secrets.DOCKER_TOKEN }}
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       # cross-platform macos notarization/signing
       - name: Install anchore/quill
@@ -191,8 +199,8 @@ jobs:
           sudo dpkg --install jsign_7.0_all.deb
           rm jsign_7.0_all.deb
 
-          echo "PKCS11_CONFIG=${{ steps.digicert.outputs.PKCS11_CONFIG }}" >> "$GITHUB_ENV"
-          SM_TOOLS_DIR=$(dirname "$(realpath '${{ steps.digicert.outputs.PKCS11_CONFIG }}')")
+          echo "PKCS11_CONFIG=${PKCS11_CONFIG}" >> "$GITHUB_ENV"
+          SM_TOOLS_DIR=$(dirname "$(realpath "${PKCS11_CONFIG}")")
           echo "${{ secrets.SM_CLIENT_CERT_FILE_B64 }}" | base64 -d > "${SM_TOOLS_DIR}/Certificate_pkcs12.p12"
           echo "SM_HOST=${{ secrets.SM_HOST }}" >> "$GITHUB_ENV"
           echo "SM_API_KEY=${{ secrets.SM_API_KEY }}" >> "$GITHUB_ENV"
@@ -202,6 +210,8 @@ jobs:
 
           # clean up
           git clean -xdf
+        env:
+          PKCS11_CONFIG: ${{ steps.digicert.outputs.PKCS11_CONFIG }}
 
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a # v6.4.0
@@ -236,4 +246,6 @@ jobs:
             --if-match=$ETAG \
             --kvs-arn=${{ secrets.AWS_CF_KVSTORE_ARN }} \
             --key=latest \
-            --value=${{ fromJSON(steps.gorelease.outputs.metadata).version }}
+            --value="${RELEASE_VERSION}"
+        env:
+          RELEASE_VERSION: ${{ fromJSON(steps.gorelease.outputs.metadata).version }}