Address zizmor GitHub Actions findings

[nscuro]

Description

Fixes findings identified by zizmor (https://github.com/zizmorcore/zizmor)

Addressed Issue

N/A

Additional Details

N/A

Checklist

• I have read and understand the contributing guidelines
• This PR fixes a defect, and I have provided tests to verify that the fix is effective
• This PR implements an enhancement, and I have provided tests to verify that it works as intended
• This PR introduces changes to the database model, and I have updated the migration changelog accordingly
• This PR introduces new or alters existing behavior, and I have updated the documentation accordingly

[Copilot]

Pull request overview

This PR hardens repository automation to address security findings flagged by zizmor, primarily by reducing credential persistence and preventing expression injection in run scripts across GitHub Actions workflows.

Changes:

• Disable persisted GitHub credentials in multiple actions/checkout steps (persist-credentials: false) to reduce token exposure risk.
• Move untrusted/expandable GitHub context values into env: variables before using them in shell scripts (mitigates expression injection findings).
• Tighten/clarify workflow permissions and adjust release publishing to use the built-in GITHUB_TOKEN where appropriate.

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/mirror-container-image.yml	Moves registry package fields into env for safer shell usage when mirroring images.
.github/workflows/dependency-review.yaml	Disables persisted checkout credentials.
.github/workflows/ci-test-pr-coverage.yml	Uses env variables for Codacy token/commit SHA before invoking reporting script.
.github/workflows/ci-release.yaml	Removes custom checkout token usage; uses env indirection for inputs in the release step.
.github/workflows/ci-publish.yaml	Disables persisted checkout credentials; adds contents: write where needed; switches GH release edits/uploads to GITHUB_TOKEN.
.github/workflows/ci-openapi.yaml	Disables persisted checkout credentials in both jobs.
.github/workflows/ci-lint.yaml	Adds explicit empty top-level permissions and disables persisted checkout credentials.
.github/workflows/buf.yml	Disables persisted checkout credentials.
.github/workflows/_meta-build.yaml	Uses env indirection for workflow-call inputs used in shell script logic.
.github/dependabot.yml	Adds a cooldown block to Dependabot update configurations.

Comments suppressed due to low confidence (1)

.github/workflows/ci-release.yaml:87

• MAVEN_ARGS is built and exported based on workflow inputs, but the mvn release:prepare invocation doesn’t actually use it. Unless Maven is expected to consume MAVEN_ARGS implicitly (it usually doesn’t), the release-version, development-version, and dry-run inputs won’t have any effect. Consider either passing the constructed arguments to mvn explicitly or removing the dead argument-building logic.

          MAVEN_ARGS="-B"
          if [[ -n "${INPUT_RELEASE_VERSION}" ]]; then
            MAVEN_ARGS="${MAVEN_ARGS} -DreleaseVersion=${INPUT_RELEASE_VERSION}"
          fi
          if [[ -n "${INPUT_DEVELOPMENT_VERSION}" ]]; then
            MAVEN_ARGS="${MAVEN_ARGS} -DdevelopmentVersion=${INPUT_DEVELOPMENT_VERSION}"
          fi
          if [[ "${INPUT_DRY_RUN}" == "true" ]]; then
            MAVEN_ARGS="${MAVEN_ARGS} -DdryRun=true"
          fi
          export MAVEN_ARGS

          mvn release:prepare

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.