ci: harden existing workflows for the security gate (#3498)

Pin actions to commit SHAs, set persist-credentials: false on every checkout, and scope token permissions to the jobs that use them. Suppress the two findings that are safe by design: the description bot's pull_request_target trigger (no fork code runs) and an intentional word-split in the docker manifest step. Clears actionlint and zizmor against dev so the blocking gate from #1314 can pass once both land.
2026-06-16 09:45:24 -04:00 · 2026-06-08 11:58:59 -07:00
parent 5198516979
commit ed6cc88974
4 changed files with 37 additions and 16 deletions
@@ -20,6 +20,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5
        with:
          python-version: "3.11"
@@ -31,6 +33,8 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
+        with:
+          persist-credentials: false
      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020  # v4
        with:
          node-version: "20"
@@ -53,6 +57,7 @@ jobs:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4
        with:
          fetch-depth: 0
+          persist-credentials: false

      # Detect whether this PR only touches documentation files.
      # If so, skip the expensive pytest run while still reporting a passing check.