ci: improve GitHub Actions

Author: ashishb

.github/workflows/lint-github-actions.yaml

@@ -20,6 +20,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintGitHubActionsWithActionLint:
     runs-on: ubuntu-latest
@@ -35,7 +39,7 @@ jobs:
           sparse-checkout-cone-mode: false
 
       - name: Lint GitHub Actions
-        uses: reviewdog/action-actionlint@v1
+        uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281  # v1.65.2
 
       - name: Check GitHub Actions with 'actionlint'
         # Ref: https://github.com/rhysd/actionlint/blob/main/docs/usage.md#use-actionlint-on-github-actions
@@ -64,11 +68,5 @@ jobs:
             .github/workflows
           sparse-checkout-cone-mode: false
 
-      - name: Setup Rust
-        uses: actions-rust-lang/setup-rust-toolchain@v1
-
-      - name: Install zizmor
-        run: cargo install zizmor
-
       - name: Run zizmor on GitHub Actions
-        run: zizmor .github/workflows/*
+        run: docker run --rm --network none -v "$PWD":/work:ro ghcr.io/woodruffw/zizmor:latest --offline /work/.github/workflows

.github/workflows/lint-markdown.yaml

@@ -1,38 +1,43 @@
+# Generated by Gabo (https://github.com/ashishb/gabo)
 ---
 # Run this locally with act - https://github.com/nektos/act
 # act -j lintMarkdown
 name: Lint Markdown
 
 on:  # yamllint disable-line rule:truthy
   push:
-    branches: [master, main]
+    branches: [main, master]
     paths:
-      - '**.md'
-      - '.github/workflows/lint-markdown.yaml'
+      - "**.md"
+      - ".github/workflows/lint-markdown.yaml"
   pull_request:
-    branches: [master, main]
+    branches: [main, master]
     paths:
-      - '**.md'
-      - '.github/workflows/lint-markdown.yaml'
+      - "**.md"
+      - ".github/workflows/lint-markdown.yaml"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintMarkdown:
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
     steps:
-      - name: Checkout code
+      - name: Checkout repository
         uses: actions/checkout@v6
         with:
           persist-credentials: false
 
       - name: Set up Ruby
         # See https://github.com/ruby/setup-ruby#versioning
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@13e7a03dc3ac6c3798f4570bfead2aed4d96abfb  # v1.244.0
         with:
           ruby-version: 3.0
 

.github/workflows/lint-shell-script.yaml

@@ -1,38 +1,42 @@
+# Generated by Gabo (https://github.com/ashishb/gabo)
 ---
 # Run this locally with act - https://github.com/nektos/act
 # act -j lintShellScript
 name: Lint Shell scripts
 
 on:  # yamllint disable-line rule:truthy
-  workflow_dispatch:
   push:
-    branches: [master, main]
+    branches: [main, master]
     paths:
-      - '**.sh'
-      - '**.bash'
-      - '.github/workflows/lint-shell-script.yaml'
+      - "**.sh"
+      - "**.bash"
+      - ".github/workflows/lint-shell-script.yaml"
   pull_request:
-    branches: [master, main]
+    branches: [main, master]
     paths:
-      - '**.sh'
-      - '**.bash'
-      - '.github/workflows/lint-shell-script.yaml'
+      - "**.sh"
+      - "**.bash"
+      - ".github/workflows/lint-shell-script.yaml"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
 
   lintShellScript:
     runs-on: ubuntu-latest
     timeout-minutes: 15
 
     steps:
-      - name: Checkout code
+      - name: Checkout repository
         uses: actions/checkout@v6
         with:
           persist-credentials: false
 
       - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@2.0.0
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38  # 2.0.0

.github/workflows/lint-yaml.yaml

@@ -1,28 +1,33 @@
+# Generated by Gabo (https://github.com/ashishb/gabo)
 ---
 # Run this locally with act - https://github.com/nektos/act
 # act -j lintYaml
 name: Lint YAML
 
 on:  # yamllint disable-line rule:truthy
   push:
-    branches: [master, main]
+    branches: [main, master]
     paths:
       - '**.yml'
       - '**.yaml'
       - '.github/workflows/**.yml'
       - '.github/workflows/**.yaml'
   pull_request:
-    branches: [master, main]
+    branches: [main, master]
     paths:
-      - '**.yml'
-      - '**.yaml'
-      - '.github/workflows/**.yml'
-      - '.github/workflows/**.yaml'
+      - "**.yml"
+      - "**.yaml"
+      - ".github/workflows/**.yml"
+      - ".github/workflows/**.yaml"
 
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+# Ref: https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token
+permissions:
+  contents: read
+
 jobs:
   lintYaml:
     runs-on: ubuntu-latest
@@ -35,7 +40,7 @@ jobs:
           persist-credentials: false
 
       - name: Check YAML files with linter
-        uses: ibiqlik/action-yamllint@v3
+        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c  # v3.1.1
         with:
           # All files under base dir
           file_or_dir: "."
@@ -53,3 +58,6 @@ jobs:
                 level: warning
               trailing-spaces:
                 level: warning
+
+      - name: Lint GitHub Actions
+        uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281  # v1.65.2

.github/workflows/validate-links.yml

@@ -20,6 +20,9 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
 
   validateLinks: