Tighten GHA permissions (#7959)

* Add dependabot cooldown to avoid bleeding edge

* Restrict workflow-level permissions in all workflows

* Switch Zizmor workflow to use official Action

* Tighten a few permissions

Author: maresb

.github/dependabot.yml

@@ -8,3 +8,5 @@ updates:
     labels:
       - "Github CI/CD"
       - "no releasenotes"
+    cooldown:
+      default-days: 7

.github/workflows/devcontainer-docker-image.yml

@@ -1,5 +1,7 @@
 name: devcontainer-docker-image
 
+permissions: {}
+
 on:
   workflow_dispatch:
   schedule:
@@ -18,7 +20,6 @@ jobs:
     # Set permissions for GitHub token
     # <https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#authenticating-to-package-registries-on-github>
     permissions:
-      contents: read
       packages: write
 
     steps:

.github/workflows/docker-image.yml

@@ -1,5 +1,7 @@
 name: docker-image
 
+permissions: {}
+
 on:
   release:
     types:

.github/workflows/mypy.yml

@@ -1,5 +1,7 @@
 name: mypy
 
+permissions: {}
+
 on:
   pull_request:
   push:

.github/workflows/pr-auto-label.yml

@@ -1,4 +1,7 @@
 name: "Pull Request Labeler"
+
+permissions: {}
+
 on:
 # The labeler doesn't execute any contributed code, so it should be fairly safe.
 - pull_request_target  # zizmor: ignore[dangerous-triggers]

.github/workflows/publish-release-notes-to-discourse.yml

@@ -1,5 +1,7 @@
 name: Publish Release Notes to Discourse
 
+permissions: {}
+
 on:
   release:
     types: [published]

.github/workflows/release.yml

@@ -1,5 +1,7 @@
 name: release-pipeline
 
+permissions: {}
+
 on:
   push:
     branches:

.github/workflows/slash_dispatch.yml

@@ -1,4 +1,7 @@
 name: Slash Command Dispatch
+
+permissions: {}
+
 on:
   issue_comment:
     types: [created]

.github/workflows/tests.yml

@@ -1,5 +1,7 @@
 name: tests
 
+permissions: {}
+
 on:
   pull_request:
   push:

.github/workflows/zizmor.yml

@@ -1,36 +1,26 @@
-# https://github.com/woodruffw/zizmor
-name: zizmor GHA analysis
+# Source: <https://github.com/zizmorcore/zizmor-action>
+name: GitHub Actions Security Analysis with zizmor 🌈
 
 on:
   push:
     branches: ["main"]
   pull_request:
     branches: ["**"]
 
+permissions: {}
+
 jobs:
   zizmor:
-    name: zizmor latest via PyPI
     runs-on: ubuntu-latest
     permissions:
       security-events: write
+      # contents: read # only needed for private repos
+      # actions: read # only needed for private repos
     steps:
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
 
-      - uses: hynek/setup-cached-uv@757bedc3f972eb7227a1aa657651f15a8527c817 # v2.3.0
-
       - name: Run zizmor 🌈
-        run: uvx zizmor --format sarif . > results.sarif
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@0499de31b99561a6d14a36a5f662c2a54f91beee # v4.31.2
-        with:
-          # Path to SARIF file relative to the root of the repository
-          sarif_file: results.sarif
-          # Optional category for the results
-          # Used to differentiate multiple results for one commit
-          category: zizmor
+        uses: zizmorcore/zizmor-action@e673c3917a1aef3c65c972347ed84ccd013ecda4 # v0.2.0