ci: pin all actions to verified SHAs and clear zizmor findings

Pin every action to a commit SHA whose tag comment matches (verified via gh api),
add least-privilege permissions, set persist-credentials: false, and replace the
archived actions-rs/cargo with a plain cargo test. zizmor clean at default persona.
This commit is contained in:
Christian Visintin
2026-06-07 16:46:56 +02:00
parent c652ca18b8
commit cdd4c60805
7 changed files with 45 additions and 19 deletions

View File

@@ -3,6 +3,9 @@ on:
schedule:
- cron: "30 1 * * *"
permissions:
contents: read
jobs:
close-issues:
runs-on: ubuntu-latest
@@ -10,7 +13,7 @@ jobs:
issues: write
pull-requests: write
steps:
- uses: actions/stale@v4.1.1
- uses: actions/stale@a20b814fb01b71def3bd6f56e7494d667ddf28da # v4.1.1
with:
days-before-issue-stale: 30
days-before-issue-close: 7