chore: Be stricter on action permissions

Author: halostatue

.github/workflows/dependency-review.yml

@@ -9,11 +9,13 @@
 name: 'Dependency Review'
 on: [pull_request]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
+    permissions:
+      contents: read
+
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -23,5 +25,8 @@ jobs:
 
       - name: 'Checkout Repository'
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4.5.0

.github/workflows/generate.yml

@@ -3,10 +3,10 @@ name: Update data and open pull request
 on:
   schedule:
     - cron: '0 18 * * 2'
+
   workflow_dispatch:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   update-definitions:
@@ -22,38 +22,20 @@ jobs:
         with:
           egress-policy: audit
 
-      - id: is-scheduled
-        env:
-          EVENT_NAME: ${{ github.event_name }}
-        run: |
-          declare result
-          declare -i dom
-          dom="$(date +%d | sed 's/^0//')"
-
-          [[ "${EVENT_NAME}" == workflow_dispatch ]] && result=yes
-          ((dom <= 7)) && result=yes
-          ((dom >= 14 && dom <= 21)) && result=yes
-
-          echo "ok=${result}" >>"$GITHUB_OUTPUT"
-
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           persist-credentials: true
-        if: steps.is-scheduled.outputs.ok
 
       - uses: ruby/setup-ruby@277ba2a127aba66d45bad0fa2dc56f80dbfedffa #v1.222.0
-        if: steps.is-scheduled.outputs.ok
         with:
-          ruby-version: '3.2'
+          ruby-version: '3.3'
           rubygems: 'latest'
           bundler: 2
           bundler-cache: true
 
       - run: bundle exec rake release:gha
-        if: steps.is-scheduled.outputs.ok
 
       - uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e #v7.0.8
-        if: steps.is-scheduled.outputs.ok
         with:
           commit-message: |
             ${{ env.UPDATE_TITLE }}

.github/workflows/reviewdog.yml

@@ -3,8 +3,7 @@ name: Reviewdog
 on:
   pull_request:
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   typos:
@@ -17,10 +16,16 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
@@ -38,10 +43,14 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
@@ -59,10 +68,18 @@ jobs:
       pull-requests: write
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            github.com:443
+            index.rubygems.org:443
+            objects.githubusercontent.com:443
+            raw.githubusercontent.com:443
+            rubygems.org:443
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:

.github/workflows/scorecards.yml

@@ -12,10 +12,10 @@ on:
   schedule:
     - cron: '20 7 * * 2'
   push:
-    branches: ["main"]
+    branches: ['main']
 
 # Declare default permissions as read only.
-permissions: read-all
+permissions: {}
 
 jobs:
   analysis:

.github/workflows/zizmor.yml

@@ -9,7 +9,7 @@ permissions: {}
 
 jobs:
   zizmor:
-    name: zizmor latest via Cargo
+    name: zizmor latest via uv
     runs-on: ubuntu-latest
 
     permissions:
@@ -19,21 +19,28 @@ jobs:
       actions: read
 
     steps:
-      - name: Harden the runner (Audit all outbound calls)
+      - name: Harden Runner
         uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
-          egress-policy: audit
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            files.pythonhosted.org:443
+            github.com:443
+            objects.githubusercontent.com:443
+            pypi.org:443
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           persist-credentials: false
 
-      - uses: actions-rust-lang/setup-rust-toolchain@9399c7bb15d4c7d47b27263d024f0a4978346ba4 # v1.11.0
+      - uses: astral-sh/setup-uv@f94ec6bedd8674c4426838e6b50417d36b6ab231 #v5.3.1
 
-      - run: cargo install --locked zizmor
-      - run: zizmor --persona pedantic --format sarif . > results.sarif
+      - run: uvx zizmor --persona pedantic --format sarif . > results.sarif
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
       - uses: github/codeql-action/upload-sarif@6bb031afdd8eb862ea3fc1848194185e076637e5 # v3.28.11
         with:
           sarif_file: results.sarif

.github/zizmor.yml

@@ -0,0 +1,5 @@
+rules:
+  artipacked:
+    ignore:
+      - generate.yml:25
+      - publish-gem.yml:42