Audit workflows

.github/workflows/ci.yml

@@ -9,6 +9,10 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   test:
 
@@ -29,6 +33,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -38,22 +44,28 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}-${{ matrix.profile }}
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
       - run: cargo test --profile ${{ matrix.profile }}
 
   format:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@nightly
+        with:
+          persist-credentials: false
+
+      - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly
         with:
           components: rustfmt
+
       - run: cargo +nightly fmt --all -- --check
 
   clippy:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -63,15 +75,18 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
         with:
           components: clippy
+
       - run: cargo clippy --all-targets --all-features
 
   coverage:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -81,21 +96,24 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
 
-      - uses: taiki-e/install-action@cargo-llvm-cov
+      - uses: taiki-e/install-action@13fe1882c51d253ef22193d24823029c0acab68b # cargo-llvm-cov
 
       - run: cargo llvm-cov --all-features --workspace --lcov --output-path lcov.info
 
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: lcov.info
+          persist-credentials: false
 
   examples:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -105,6 +123,22 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
 
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
 
       - run: make examples
+
+  actions-audit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: Run Zizmor audit
+        run: |
+          docker run --rm -v ${{ github.workspace }}:/workspace/ -w /workspace/ ghcr.io/zizmorcore/zizmor@sha256:4d3128ae1370da9507bdd42a62d72b8304d4d0f290147aaac3eb0ebf51d70890 \
+            --gh-token ${GITHUB_TOKEN} .github/workflows/
+
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/doc.yml

@@ -11,22 +11,28 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+
     env:
       BRANCH_NAME: ${{ github.event_name == 'pull_request' && github.head_ref || (github.ref_name == '' && 'master' || github.ref_name) }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - uses: dtolnay/rust-toolchain@stable
+          persist-credentials: false
+      - uses: dtolnay/rust-toolchain@4305c38b25d97ef35a8ad1f985ccf2d2242004f2 # stable
       - run: |
           .github/doc/doc.py ${BRANCH_NAME}
           ls -l ./target/docs
-      - uses: peaceiris/actions-gh-pages@v4
+      - uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e # v4.0.0
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
           publish_dir: ./target/docs

.github/workflows/fuzz.yml

@@ -16,11 +16,17 @@ on:
 env:
   CARGO_TERM_COLOR: always
 
+permissions:
+  contents: read
+  actions: read
+
 jobs:
   fuzz:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - uses: actions/cache@v4
         with:
@@ -30,24 +36,31 @@ jobs:
             target
           key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.toml') }}
 
-      - uses: dtolnay/rust-toolchain@nightly
+      - uses: dtolnay/rust-toolchain@b95584d8105b9ab200e15821fa671848cf2b7017 # nightly
 
       - name: Set seconds to run tests
         id: fuzz_config
         run: |
-          if [ "${{ github.event_name }}" = "schedule" ]; then
+          seconds="${SECONDS}"
+          if ! [[ "$seconds" =~ ^[0-9]+$ ]]; then
+            echo "Invalid fuzzseconds input; using default 30"
+            seconds=30
+          fi
+
+          if [ "${EVENT}" = "schedule" ]; then
             echo "fuzzseconds=600" >> "$GITHUB_OUTPUT"
-          elif [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            val="${{ inputs.fuzzseconds }}"
-            if [ -z "$val" ]; then
-              val=30
-            fi
-            echo "fuzzseconds=$val" >> "$GITHUB_OUTPUT"
+          elif [ "${EVENT}" = "workflow_dispatch" ]; then
+            echo "fuzzseconds=$seconds" >> "$GITHUB_OUTPUT"
           else
             echo "fuzzseconds=30" >> "$GITHUB_OUTPUT"
           fi
+        env:
+          SECONDS: ${{ inputs.fuzzseconds }}
+          EVENT: ${{ github.event_name }}
 
       - name: Run tests
         run: |
           cargo install cargo-fuzz
-          cargo +nightly fuzz run static_vector -- -max_total_time=${{ steps.fuzz_config.outputs.fuzzseconds }}
+          cargo +nightly fuzz run static_vector -- -max_total_time=${SECONDS}
+        env:
+          SECONDS: ${{ steps.fuzz_config.outputs.fuzzseconds }}