ci, action: address zizmor findings, bump versions (#222)

Signed-off-by: William Woodruff <william@yossarian.net>

Author: woodruffw

.github/workflows/ci.yml

@@ -6,11 +6,13 @@ on:
       - main
   pull_request:
 
+permissions: {}
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 

.github/workflows/release.yml

@@ -5,18 +5,17 @@ on:
 
 name: release
 
-permissions:
-  # Used to sign the release's artifacts with sigstore-python.
-  id-token: write
-
-  # Used to attach signing artifacts to the published release.
-  contents: write
+permissions: {}
 
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Used to sign the artifacts.
+      contents: write # Used to attach signing artifacts to the release.
+
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 

.github/workflows/schedule-selftest.yml

@@ -2,17 +2,19 @@ name: Scheduled self-test
 
 on:
   schedule:
-    - cron: '0 12 * * *' # Every day at 1200 UTC
+    - cron: "0 12 * * *" # Every day at 1200 UTC
+
+permissions: {}
 
 jobs:
   run-selftests:
     permissions:
-      id-token: write
+      id-token: write # for OIDC in selftest
 
     uses: ./.github/workflows/selftest.yml
   open-issue:
     permissions:
-      issues: write
+      issues: write # for opening the issue
 
     runs-on: ubuntu-latest
     if: ${{ failure() }}

.github/workflows/selftest.yml

@@ -13,7 +13,7 @@ permissions: {}
 jobs:
   selftest:
     permissions:
-      id-token: write
+      id-token: write # selftest
     strategy:
       matrix:
         os:
@@ -25,10 +25,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         if: ${{ matrix.os != 'ubuntu-latest' }}
         with:
           python-version: "3.x"
@@ -45,7 +45,7 @@ jobs:
 
   selftest-runner-python:
     permissions:
-      id-token: write
+      id-token: write # selftest
     strategy:
       matrix:
         os:
@@ -55,7 +55,7 @@ jobs:
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifact and publish signature
@@ -71,7 +71,7 @@ jobs:
 
   selftest-whitespace:
     permissions:
-      id-token: write
+      id-token: write # selftest
     strategy:
       matrix:
         os:
@@ -81,10 +81,10 @@ jobs:
     runs-on: ${{ matrix.os }}
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
-      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v5
+      - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
         if: ${{ matrix.os != 'ubuntu-latest' }}
         with:
           python-version: "3.x"
@@ -106,7 +106,7 @@ jobs:
 
   selftest-xfail-invalid-inputs:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -117,7 +117,7 @@ jobs:
           - "/tmp/extremely-nonexistent-file"
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifact and publish signature
@@ -138,11 +138,11 @@ jobs:
 
   selftest-staging:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifact and publish signature
@@ -158,11 +158,11 @@ jobs:
 
   selftest-glob:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifacts and publish signatures
@@ -180,13 +180,13 @@ jobs:
 
   selftest-xfail-glob-input-expansion:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     env:
       TEST_DIR: test
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifacts and publish signatures
@@ -210,11 +210,11 @@ jobs:
 
   selftest-glob-multiple:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifacts and publish signatures
@@ -237,11 +237,11 @@ jobs:
 
   selftest-upload-artifacts:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifact and publish signature
@@ -252,7 +252,7 @@ jobs:
           staging: true
           upload-signing-artifacts: true
           internal-be-careful-debug: true
-      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v4
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: "signing-artifacts-${{ github.job }}"
           path: ./test/uploaded
@@ -264,11 +264,11 @@ jobs:
 
   selftest-verify:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifact and publish signature
@@ -284,7 +284,7 @@ jobs:
 
   selftest-xfail-verify-missing-options:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -308,7 +308,7 @@ jobs:
 
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Sign artifact and publish signature
@@ -334,11 +334,11 @@ jobs:
 
   selftest-identity-token:
     permissions:
-      id-token: write
+      id-token: write # selftest
     runs-on: ubuntu-latest
     if: (github.event_name != 'pull_request') || !github.event.pull_request.head.repo.fork
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Get OIDC token

.github/workflows/semgrep.yml

@@ -2,24 +2,28 @@ on:
   pull_request: {}
   push:
     branches:
-    - main
-    - master
+      - main
+      - master
     paths:
-    - .github/workflows/semgrep.yml
+      - .github/workflows/semgrep.yml
   schedule:
-  - cron: '0 0 * * 0'
+    - cron: "0 0 * * 0"
+
+permissions: {}
+
 name: Semgrep
+
 jobs:
   semgrep:
     name: Scan
     runs-on: ubuntu-latest
     env:
       SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
     container:
-      image: semgrep/semgrep
+      image: semgrep/semgrep:1.138.0
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - run: semgrep ci

.github/workflows/zizmor.yml

@@ -6,18 +6,17 @@ on:
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
     name: zizmor latest via PyPI
     runs-on: ubuntu-latest
     permissions:
-      security-events: write
-      # required for workflows in private repositories
-      contents: read
-      actions: read
+      security-events: write # for uploading the sarif file
     steps:
       - name: Checkout repository
-        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v4
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 

action.yml

@@ -101,7 +101,7 @@ runs:
         GHA_SIGSTORE_PYTHON_INPUTS: "${{ inputs.inputs }}"
       shell: bash
 
-    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       if: inputs.upload-signing-artifacts == 'true'
       with:
         name: "signing-artifacts-${{ github.job }}"