fix all but 1 zizmor lints

Author: ocefpaf

.github/dependabot.yml

@@ -12,4 +12,4 @@ updates:
     groups:
       github-actions:
         patterns:
-          - '*'
+          - '*'

.github/workflows/cibuildwheel.yml

@@ -2,10 +2,10 @@ name: Wheels
 
 on:
   pull_request:
-
   push:
-    tags:
-      - "v*"
+  release:
+    types:
+      - published
 
 jobs:
   build_bdist:
@@ -28,19 +28,20 @@ jobs:
             arch: x86_64
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
         fetch-depth: 0
+        persist-credentials: false
 
     # For aarch64 support
     # https://cibuildwheel.pypa.io/en/stable/faq/#emulation
-    - uses: docker/setup-qemu-action@v3
+    - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392  # v3.6.0
       with:
         platforms: all
       if: runner.os == 'Linux' && matrix.arch == 'aarch64'
 
     - name: "Building ${{ matrix.os }} (${{ matrix.arch }}) wheels"
-      uses: pypa/[email protected]
+      uses: pypa/cibuildwheel@5f22145df44122af0f5a201f93cf0207171beca7  # v3.0.0
       env:
         # Skips pypy and musllinux for now.
         CIBW_SKIP: "pp* cp36-* cp37-* cp38-* *-musllinux*"
@@ -52,19 +53,21 @@ jobs:
           python -c "import gsw; print(f'gsw v{gsw.__version__}')" &&
           python -m pytest --pyargs gsw
 
-    - uses: actions/upload-artifact@v4
+    - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
       with:
         name: pypi-artifacts-${{ matrix.os }}-${{ matrix.arch }}
         path: ${{ github.workspace }}/wheelhouse/*.whl
-
+    permissions:
+      actions: write
 
   build_sdist:
     name: Build source distribution
     runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Build sdist
         run: >
@@ -73,17 +76,19 @@ jobs:
           && twine check dist/*
           && check-manifest --verbose
 
-      - uses: actions/upload-artifact@v4
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: pypi-artifacts
           path: ${{ github.workspace }}/dist/*.tar.gz
+    permissions:
+      actions: write
 
   show-artifacts:
     needs: [build_bdist, build_sdist]
     name: "Show artifacts"
     runs-on: ubuntu-22.04
     steps:
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
       with:
         pattern: pypi-artifacts*
         path: ${{ github.workspace }}/dist
@@ -92,7 +97,8 @@ jobs:
     - shell: bash
       run: |
         ls -l ${{ github.workspace }}/dist
-
+    permissions:
+      actions: none
 
   publish-artifacts-pypi:
     needs: [build_bdist, build_sdist]
@@ -101,14 +107,16 @@ jobs:
     # upload to PyPI for every tag starting with 'v'
     if: github.event_name == 'push' && startsWith(github.event.ref, 'refs/tags/v')
     steps:
-    - uses: actions/download-artifact@v4
+    - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093  # v4.3.0
       with:
         pattern: pypi-artifacts*
         path: ${{ github.workspace }}/dist
         merge-multiple: true
 
-    - uses: pypa/gh-action-pypi-publish@release/v1
+    - uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc  # v1.12.4
       with:
         user: __token__
         password: ${{ secrets.PYPI_PASSWORD }}
         print_hash: true
+    permissions:
+      actions: write

.github/workflows/deploy-docs.yml

@@ -2,10 +2,10 @@ name: Build and Deploy docs
 
 on:
   pull_request:
-
   push:
-    tags:
-      - "v*"
+  release:
+    types:
+      - published
 
 defaults:
   run:
@@ -15,10 +15,14 @@ jobs:
   run:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
+    - name: checkout
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065   # v5.6.0
       with:
         python-version: "3.x"
 
@@ -36,7 +40,9 @@ jobs:
 
     - name: GitHub Pages action
       if: success() && github.event_name == 'release'
-      uses: peaceiris/actions-gh-pages@v4
+      uses: peaceiris/actions-gh-pages@4f9cc6602d3f66b9c108549d475ec49e8ef4d45e  # v4.0.0
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: docs/_build/html
+    permissions:
+      actions: write

.github/workflows/pre-commit.yml

@@ -9,6 +9,8 @@ jobs:
   pre-commit:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v4
-    - uses: actions/setup-python@v5
-    - uses: pre-commit/[email protected]
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+    - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
+    - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
+  permissions:
+    actions: none

.github/workflows/test_code_generation.yml

@@ -3,7 +3,7 @@ name: Test code generation
 on:
   pull_request:
   push:
-    branches: [main]
+    branches: [ main ]
 
 defaults:
   run:
@@ -14,10 +14,13 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065   # v5.6.0
       with:
         python-version: "3.x"
 
@@ -39,4 +42,6 @@ jobs:
     - name: Install gsw
       run: >
         python -m pip install -v -e  . --no-deps --no-build-isolation --force-reinstall
-        && python -m pytest -s -rxs -v gsw/tests
+        && python -m pytest -s -rxs -v gsw/tests
+    permissions:
+      actions: none

.github/workflows/tests.yml

@@ -3,7 +3,7 @@ name: Tests
 on:
   pull_request:
   push:
-    branches: [main]
+    branches: [ main ]
 
 defaults:
   run:
@@ -24,10 +24,13 @@ jobs:
       fail-fast: false
 
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
+      with:
+        fetch-depth: 0
+        persist-credentials: false
 
     - name: Set up Python
-      uses: actions/setup-python@v5
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065   # v5.6.0
       with:
         python-version: ${{ matrix.python-version }}
 
@@ -40,3 +43,5 @@ jobs:
     - name: Tests
       run: |
         python -m pytest -s -rxs -v gsw/tests
+    permissions:
+      actions: none