ci: pin all actions to verified SHAs and clear zizmor findings

Pin every action to a commit SHA whose tag comment matches (verified via gh api), add least-privilege permissions, set persist-credentials: false, and replace the archived actions-rs/cargo with a plain cargo test. zizmor clean at default persona.
2026-06-12 03:29:21 +02:00 · 2026-06-07 16:46:56 +02:00
parent c652ca18b8
commit cdd4c60805
7 changed files with 45 additions and 19 deletions
--- a/.github/workflows/codeberg-mirror.yml
+++ b/.github/workflows/codeberg-mirror.yml
@@ -2,15 +2,19 @@ name: codeberg-mirror
 on:
  push:

+permissions:
+  contents: read
+
 jobs:
  mirror:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          fetch-depth: 0
+          persist-credentials: false
      - name: "Mirror to Codeberg"
-        uses: yesolutions/mirror-action@v0.7.0
+        uses: yesolutions/mirror-action@1708f16cdb28634fd3ba10c5c79abc91f5578a14 # v0.7.0
        with:
          REMOTE: 'ssh://git@codeberg.org/veeso/termscp.git'
          GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_PRIVATE_KEY }}
--- a/.github/workflows/install.yml
+++ b/.github/workflows/install.yml
@@ -9,6 +9,9 @@ on:
 env:
  CARGO_TERM_COLOR: always

+permissions:
+  contents: read
+
 jobs:
  build:
    strategy:
@@ -19,7 +22,9 @@ jobs:
    runs-on: ${{ matrix.os }}

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
      - name: Install termscp from script
        run: |
          ./install.sh -f
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -14,28 +14,30 @@ on:
 env:
  CARGO_TERM_COLOR: always

+permissions:
+  contents: read
+
 jobs:
  build-linux:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
      - name: Install dependencies
        run: sudo apt update && sudo apt install -y libdbus-1-dev libsmbclient-dev
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
        with:
          toolchain: nightly
          components: rustfmt, clippy
      - name: Format
        run: cargo +nightly fmt --all -- --check
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
        with:
          toolchain: stable
          components: rustfmt, clippy
      - name: Run tests
-        uses: actions-rs/cargo@v1
-        with:
-          command: test
-          args: --no-default-features --features github-actions --no-fail-fast
+        run: cargo test --no-default-features --features github-actions --no-fail-fast
      - name: Clippy
        run: cargo clippy -- -Dwarnings
--- a/.github/workflows/macos.yml
+++ b/.github/workflows/macos.yml
@@ -14,12 +14,17 @@ on:
 env:
  CARGO_TERM_COLOR: always

+permissions:
+  contents: read
+
 jobs:
  build-macos:
    runs-on: macos-latest
    steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
        with:
          toolchain: stable
          components: rustfmt, clippy
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -3,6 +3,9 @@ on:
  schedule:
    - cron: "30 1 * * *"

+permissions:
+  contents: read
+
 jobs:
  close-issues:
    runs-on: ubuntu-latest
@@ -10,7 +13,7 @@ jobs:
      issues: write
      pull-requests: write
    steps:
-      - uses: actions/stale@v4.1.1
+      - uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4.1.1
        with:
          days-before-issue-stale: 30
          days-before-issue-close: 7
--- a/.github/workflows/website.yml
+++ b/.github/workflows/website.yml
@@ -32,13 +32,15 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
      - name: Setup Pages
-        uses: actions/configure-pages@v5
+        uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3
        with:
          path: "./site/"
      - name: Deploy to GitHub Pages
        id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
--- a/.github/workflows/windows.yml
+++ b/.github/workflows/windows.yml
@@ -14,13 +14,18 @@ on:
 env:
  CARGO_TERM_COLOR: always

+permissions:
+  contents: read
+
 jobs:
  build-windows:
    runs-on: windows-latest

    steps:
-      - uses: actions/checkout@v6
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
+        with:
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@29eef336d9b2848a0b548edc03f92a220660cdb8 # stable
        with:
          toolchain: stable
          components: rustfmt, clippy