ci: pin action hashes and escape variables with minimum permission

[zimeg]

Summary

This PR uses the wonderful zizmor tool to audit our own workflows and pinact for pinned versioning 👾

While not so simple to bump ourselves, the kind @dependabot can help keep these hashes updated 🤖 ✨

Reviewers

A similar audit can be performed with the zizmor tool:

$ zizmor .
...
No findings to report. Good job! (2 suppressed)

Notes

Similar changes exist in slackapi/slack-github-action#441 but comments on unexpected changes follow!

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 94.57%. Comparing base (61c571a) to head (8108018).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #91   +/-   ##
=======================================
  Coverage   94.57%   94.57%           
=======================================
  Files           6        6           
  Lines         369      369           
=======================================
  Hits          349      349           
  Misses         20       20           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[zimeg]

📝 Leaving one comment on updated permissions of the publish workflow for the wonderful reviewers!

Next release of this action, let's keep an eye on this 👁️‍🗨️

[zimeg]

These permissions are noted in JasonEtco/build-and-tag-action#45 and match a similar workflow that's found in slackapi/slack-github-action

[hello-ashleyintech]

LGTM and the PR is well written and documented for this change! Thank you 🙇

[WilliamBergamin]

All for the minimum permission 💯

This might be a hot take but I don't think we need to pin the hashes, I think the readability of the raw version outweighs the benefits of pinning hashes and leaving comments for the actual version, I'm concerned about how dependabot handles updating these dependencies

Could you explain what are the security improvements gained by using the hash rather then referencing the version and share any documented cases of critical vulnerability in this area 🙏

It may also be worth considering what is at risk here, as far as I know these Github Actions don't have access to our package release keys, I don't think we should be building a "complex security vault" if we are leaving it empty

[zimeg]

@hello-ashleyintech @WilliamBergamin Once more, I appreciate the fast reviews so much 🙏 ✨

@WilliamBergamin Following the comment of slackapi/slack-github-action#441 I'm requesting another review before merge! Please let me know if other changes are requested but I shall continue onto other projects we maintain for the meantime.

[zimeg]

@hello-ashleyintech @WilliamBergamin I appreciate the reviews too on this PR. I am going to merge this and similar PRs now 🫡