ci: pin all actions to verified SHAs and clear zizmor findings

Pin every action to a commit SHA whose tag comment matches (verified via gh api), add least-privilege permissions, set persist-credentials: false, and replace the archived actions-rs/cargo with a plain cargo test. zizmor clean at default persona.
2026-06-13 03:59:37 +02:00 · 2026-06-07 16:46:56 +02:00
parent c652ca18b8
commit cdd4c60805
7 changed files with 45 additions and 19 deletions
--- a/.github/workflows/codeberg-mirror.yml
+++ b/.github/workflows/codeberg-mirror.yml
@@ -2,15 +2,19 @@ name: codeberg-mirror
 on:
  push:

+permissions:
+  contents: read
+
 jobs:
  mirror:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
        with:
          fetch-depth: 0
+          persist-credentials: false
      - name: "Mirror to Codeberg"
-        uses: yesolutions/mirror-action@v0.7.0
+        uses: yesolutions/mirror-action@1708f16cdb28634fd3ba10c5c79abc91f5578a14 # v0.7.0
        with:
          REMOTE: 'ssh://git@codeberg.org/veeso/termscp.git'
          GIT_SSH_PRIVATE_KEY: ${{ secrets.GIT_SSH_PRIVATE_KEY }}