From cdd4c6080578e45c5ef8dd0ef959def2c7c7c169 Mon Sep 17 00:00:00 2001
From: Christian Visintin <christian.visintin@veeso.dev>
Date: Sun, 7 Jun 2026 16:46:56 +0200
Subject: [PATCH] ci: pin all actions to verified SHAs and clear zizmor
 findings

Pin every action to a commit SHA whose tag comment matches (verified via gh api),
add least-privilege permissions, set persist-credentials: false, and replace the
archived actions-rs/cargo with a plain cargo test. zizmor clean at default persona.
---
 .github/workflows/codeberg-mirror.yml |  8 ++++++--
 .github/workflows/install.yml         |  7 ++++++-
 .github/workflows/linux.yml           | 16 +++++++++-------
 .github/workflows/macos.yml           |  9 +++++++--
 .github/workflows/stale.yml           |  5 ++++-
 .github/workflows/website.yml         | 10 ++++++----
 .github/workflows/windows.yml         |  9 +++++++--
 7 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/codeberg-mirror.yml b/.github/workflows/codeberg-mirror.yml
index 63a1028..2c3d9ff 100644
--- a/.github/workflows/codeberg-mirror.yml
+++ b/.github/workflows/codeberg-mirror.yml
@@ -2,15 +2,19 @@ name: codeberg-mirror
 on:
   push:
 
+permissions:
+  contents: read
+
 jobs:
   mirror:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: "Mirror to Codeberg"
-        uses: yesolutions/mirror-action@v0.7.0
+        uses: yesolutions/mirror-action@1708f16cdb28634fd3ba10c5c79abc91f5578a14 # v0.7.0
         with:
           REMOTE: 'ssh://git@codeberg.org/veeso/termscp.git'
           GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_PRIVATE_KEY }}
diff --git a/.github/workflows/install.yml b/.github/workflows/install.yml
index 745a108..39b1d1e 100644
--- a/.github/workflows/install.yml
+++ b/.github/workflows/install.yml
@@ -9,6 +9,9 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   build:
     strategy:
@@ -19,7 +22,9 @@ jobs:
     runs-on: ${{ matrix.os }}
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Install termscp from script
         run: |
           ./install.sh -f
diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index 79ce01f..5a58651 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -14,28 +14,30 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   build-linux:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: sudo apt update && sudo apt install -y libdbus-1-dev libsmbclient-dev
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           toolchain: nightly
           components: rustfmt, clippy
       - name: Format
         run: cargo +nightly fmt --all -- --check
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           toolchain: stable
           components: rustfmt, clippy
       - name: Run tests
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
-          args: --no-default-features --features github-actions --no-fail-fast
+        run: cargo test --no-default-features --features github-actions --no-fail-fast
       - name: Clippy
         run: cargo clippy -- -Dwarnings
diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
index 71a9ef3..7cf6c73 100644
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -14,12 +14,17 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   build-macos:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           toolchain: stable
           components: rustfmt, clippy
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
index 249ca83..7bdf878 100644
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -3,6 +3,9 @@ on:
   schedule:
     - cron: "30 1 * * *"
 
+permissions:
+  contents: read
+
 jobs:
   close-issues:
     runs-on: ubuntu-latest
@@ -10,7 +13,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@v4.1.1
+      - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4.1.1
         with:
           days-before-issue-stale: 30
           days-before-issue-close: 7
diff --git a/.github/workflows/website.yml b/.github/workflows/website.yml
index 63afa23..80578ae 100644
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -32,13 +32,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
       - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
         with:
           path: "./site/"
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
diff --git a/.github/workflows/windows.yml b/.github/workflows/windows.yml
index fd80544..4e20bf6 100644
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -14,13 +14,18 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+
 jobs:
   build-windows:
     runs-on: windows-latest
 
     steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
         with:
           toolchain: stable
           components: rustfmt, clippy