Address zizmor errors and warnings (#14)

aleks-p · web-flow · commit d0df32fbc9d3 · 2025-05-01T12:03:44.000-03:00
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -6,11 +6,16 @@ on:
   pull_request:
     branches: [ main ]
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: 3.12
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -5,15 +5,15 @@ on:
     tags:
     - 'v*'
 
-permissions:
-  contents: write
-  id-token: write
-
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v3
+        with:
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: 3.12
@@ -32,7 +32,7 @@ jobs:
           draft: false
           prerelease: false
       - name: Upload release artifacts
-        uses: korniltsev/actions-upload-release-asset@v1
+        uses: korniltsev/actions-upload-release-asset@32f18be3a7dab6873e1d27e3aee2e0fec3620d5d # v1
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
@@ -41,23 +41,25 @@ jobs:
   publish:
     needs: release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
-      - uses: robinraju/release-downloader@v1.4
+      - uses: robinraju/release-downloader@ed86e52bc497d1185844fc28454c5999aaed2fa5 # v1.4
         with: 
           tag: ${{ github.ref_name }}
           fileName: "*"
           tarBall: false 
           zipBall: false 
           out-file-path: "dist"
           token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: grafana/shared-workflows/actions/get-vault-secrets@main
+      - uses: grafana/shared-workflows/actions/get-vault-secrets@974c33049d0967c5c9cfc249fe675daf341dc78f
         with:
           vault_instance: dev
           # Secrets placed in the ci/repo/grafana/otel-profiling-python/ path in Vault
           repo_secrets: |
             PYPI_API_TOKEN=publishing:pypi_api_key
       - name: Publish a Python distribution to PyPI
-        uses: pypa/gh-action-pypi-publish@release/v1
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # v1.12.4
         with:
           user: __token__
           password: ${{ env.PYPI_API_TOKEN }}
