fix: harden GitHub Actions workflows (#57)

* fix: harden GitHub Actions workflows (zizmor)

- Fix template injection vulnerability by using environment variables
  instead of direct interpolation of github.ref
- Pin all third-party actions to full-length commit SHAs
- Add explicit permissions (contents: write) to publish workflow
- Add persist-credentials: false to checkout step
- Add zizmor.yml configuration file

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: update actions to latest versions and suppress false positive zizmor finding

Update actions/checkout to v6.0.2 and actions/setup-node to v4.4.0
with pinned SHAs. Suppress false positive cache-poisoning finding for
setup-node in publish.yml (caching is not enabled without explicit
cache: config).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: reberhardt7

.github/workflows/publish.yml

@@ -5,6 +5,10 @@ on:
       - "release/[0-9]+.[0-9]+.[0-9]+"
 
 name: Deploy Extension
+
+permissions:
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -13,18 +17,22 @@ jobs:
         id: releaseMode
         # perform secret check & put boolean result as an output
         shell: bash
+        env:
+          GIT_REF: ${{ github.ref }}
         run: |
-          if [[ "${{ github.ref }}" = "refs/tags/dryrun"* ]]; then
+          if [[ "$GIT_REF" = "refs/tags/dryrun"* ]]; then
             echo "dryRun=true" >> $GITHUB_OUTPUT;
           else
             echo "dryRun=false" >> $GITHUB_OUTPUT;
           fi
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       - run: npm ci
       - name: Publish to Open VSX Registry
         if: success() || failure()
-        uses: HaaLeo/publish-vscode-extension@v1
+        uses: HaaLeo/publish-vscode-extension@f4ece70f329f66686bd71c54b1671353fe320e49 # v1
         id: publishToOpenVSX
         with:
           dryRun: ${{ steps.releaseMode.outputs.dryRun }}
@@ -33,7 +41,7 @@ jobs:
           skipDuplicate: true
       - name: Publish to Visual Studio Marketplace
         if: success() || failure()
-        uses: HaaLeo/publish-vscode-extension@v1
+        uses: HaaLeo/publish-vscode-extension@f4ece70f329f66686bd71c54b1671353fe320e49 # v1
         with:
           dryRun: ${{ steps.releaseMode.outputs.dryRun }}
           extensionFile: ${{ steps.publishToOpenVSX.outputs.vsixPath }}
@@ -42,7 +50,7 @@ jobs:
           registryUrl: https://marketplace.visualstudio.com
           skipDuplicate: true
       - name: Github Release
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v1
         if: ${{ ! steps.releaseMode.outputs.dryRun }}
         with:
           body: |

.github/zizmor.yml

@@ -0,0 +1,6 @@
+rules:
+  secrets-outside-env:
+    disable: true
+  cache-poisoning:
+    ignore:
+      - publish.yml