Harden GitHub Actions via zizmor

Author: PowerKiKi

.github/dependabot.yml

@@ -4,6 +4,8 @@ updates:
       directory: '/'
       schedule:
           interval: monthly
+      cooldown:
+          default-days: 7
       open-pull-requests-limit: 10
       ignore:
           - dependency-name: '*'

.github/workflows/main.yml

@@ -1,12 +1,15 @@
 name: main
 on: [push, pull_request]
+permissions:
+    contents: read
 
 jobs:
     build:
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v6
               with:
+                  persist-credentials: false
                   fetch-depth: 0 # Need all tags to get a version number in-between tags
             - uses: pnpm/action-setup@v6
             - uses: actions/setup-node@v6
@@ -24,6 +27,8 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v6
+              with:
+                  persist-credentials: false
             - uses: pnpm/action-setup@v6
             - uses: actions/setup-node@v6
               with:
@@ -38,6 +43,8 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v6
+              with:
+                  persist-credentials: false
             - uses: pnpm/action-setup@v6
             - uses: actions/setup-node@v6
               with:
@@ -50,6 +57,8 @@ jobs:
         runs-on: ubuntu-latest
         steps:
             - uses: actions/checkout@v6
+              with:
+                  persist-credentials: false
             - uses: pnpm/action-setup@v6
             - uses: actions/setup-node@v6
               with:
@@ -85,6 +94,7 @@ jobs:
         steps:
             - uses: actions/checkout@v6
               with:
+                  persist-credentials: false
                   ref: ${{ github.ref }} # Otherwise our annotated tag is not fetched and we cannot get correct version
             - uses: actions/download-artifact@v8
               with:
@@ -101,10 +111,7 @@ jobs:
             - run: pnpm publish --provenance --no-git-checks dist/fab-speed-dial/
 
             # Create release
-            - name: Get release info
-              run: git tag --format '%(contents:body)' --points-at > release-body.txt
-            - uses: ncipollo/release-action@v1
+            - name: Create release
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
-              with:
-                  bodyFile: release-body.txt
+              run: gh release create "$GITHUB_REF_NAME" --verify-tag --notes "$(git tag --format '%(contents:body)' --points-at)"