Harden GitHub Actions workflows

.github/workflows/release.yml

@@ -7,8 +7,7 @@ on:
       - "[0-9]+.[0-9]+.[0-9]+*"
 
 permissions:
-  contents: write
-
+  contents: read
 
 jobs:
   build-macos:
@@ -17,13 +16,13 @@ jobs:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-      - run: git fetch --tags --force origin ${{ github.ref }}
-      - run: git checkout ${{ github.ref }}
+          persist-credentials: false
+      - run: git fetch --tags --force origin ${GITHUB_REF}
+      - run: git checkout ${GITHUB_REF}
       - run: git describe --always HEAD
       - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: DeterminateSystems/magic-nix-cache-action@def9f5a5c6a6b8751c0534e8813a5d0ad2635660 # v11
       - run: nix develop --command make crossbuild_mac
       - run: nix develop --command make crossbuild_mac_bundles
       - name: 'Upload Artifacts'
@@ -39,13 +38,13 @@ jobs:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
-      - run: git fetch --tags --force origin ${{ github.ref }}
-      - run: git checkout ${{ github.ref }}
+          persist-credentials: false
+      - run: git fetch --tags --force origin ${GITHUB_REF}
+      - run: git checkout ${GITHUB_REF}
       - run: git describe --always HEAD
       - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
-      - uses: DeterminateSystems/magic-nix-cache-action@def9f5a5c6a6b8751c0534e8813a5d0ad2635660 # v11
       - run: nix develop --command make crossbuild
       - name: 'Upload Artifacts'
         id: upload
@@ -57,11 +56,14 @@ jobs:
   release:
     needs: [build-macos, build-others]
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
         with:

.github/workflows/test.yml

@@ -1,5 +1,8 @@
 name: Build and test
 
+permissions:
+  contents: read
+
 on:
   pull_request:
   push:
@@ -9,6 +12,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
@@ -21,6 +26,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}
@@ -31,6 +38,8 @@ jobs:
     runs-on: macos-latest
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
       - uses: cachix/install-nix-action@616559265b40713947b9c190a8ff4b507b5df49b # v31
         with:
           github_access_token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/zizmor.yml

@@ -0,0 +1,21 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+        with:
+          persist-credentials: false
+
+      - uses: zizmorcore/zizmor-action@5f14fd08f7cf1cb1609c1e344975f152c7ee938d # v0.5.6