ci: zizmorify

Author: figsoda

.github/dependabot.yml

@@ -5,6 +5,8 @@ updates:
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 7
     groups:
       cargo:
         patterns: ["*"]
@@ -13,6 +15,8 @@ updates:
     directory: /
     schedule:
       interval: daily
+    cooldown:
+      default-days: 7
     groups:
       github-actions:
         patterns: ["*"]

.github/workflows/ci.yml

@@ -6,6 +6,8 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   build:
     name: build
@@ -24,7 +26,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install dependencies (musl)
         if: contains(matrix.target, 'musl')
@@ -44,22 +48,24 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Restore fetcher cache
-        uses: actions/cache/restore@v5
+        uses: actions/cache/restore@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         with:
           key: nix-cache-${{ hashFiles('flake.lock', 'src/**', 'tests/**/*.toml') }}
           path: ~/.cache/nix
           restore-keys: nix-cache-
 
       - name: Install nix
-        uses: cachix/install-nix-action@v31
+        uses: cachix/install-nix-action@51f3067b56fe8ae331890c77d4e454f6d60615ff # v31.10.2
         with:
           nix_path: nixpkgs=channel:nixos-unstable
 
       - name: Set up cachix
-        uses: cachix/cachix-action@v17
+        uses: cachix/cachix-action@1eb2ef646ac0255473d23a5907ad7b04ce94065c # v17
         with:
           name: nix-community
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
@@ -68,7 +74,7 @@ jobs:
         run: cargo test
 
       - name: Save fetcher cache
-        uses: actions/cache/save@v5
+        uses: actions/cache/save@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
         if: always()
         with:
           key: nix-cache-${{ hashFiles('flake.lock', 'src/**', 'tests/**/*.toml') }}
@@ -79,7 +85,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: "Cargo: clippy, fmt"
         run: |

.github/workflows/release.yml

@@ -13,7 +13,7 @@ jobs:
       contents: write
     steps:
       - name: Create release
-        uses: softprops/action-gh-release@v2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
         with:
           body: "[CHANGELOG.md](https://github.com/nix-community/nurl/blob/main/CHANGELOG.md)"
 
@@ -37,7 +37,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install dependencies (musl)
         if: contains(matrix.target, 'musl')
@@ -53,7 +55,7 @@ jobs:
           RUSTFLAGS: -C strip=symbols
 
       - name: Upload asset
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # latest
         with:
           tag: ${{ github.ref }}
           file: target/${{ matrix.target }}/release/nurl
@@ -68,7 +70,9 @@ jobs:
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Cargo build
         run: |
@@ -83,7 +87,7 @@ jobs:
           mv artifacts/{_nurl,nurl.zsh}
 
       - name: Upload artifacts
-        uses: svenstaro/upload-release-action@v2
+        uses: svenstaro/upload-release-action@29e53e917877a24fad85510ded594ab3c9ca12de # latest
         with:
           tag: ${{ github.ref }}
           file: artifacts/*