🦅 [gha] improve security (#52)

* 🦅 [gha] improve security

* add actionlint

* restrict github-pages-overwriter similarly to others

Author: chicks-net

.github/workflows/actionlint.yml

@@ -0,0 +1,26 @@
+name: Lint GitHub Actions workflows
+
+on:
+  # Triggers the workflow on push or pull request events but only for the "main" branch
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# global permissions
+permissions: {}
+
+jobs:
+  actionlint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check workflow files
+        uses: docker://rhysd/actionlint:latest
+        with:
+          args: -color

.github/workflows/auto-assign.yml

@@ -7,14 +7,15 @@ on:
     types: [opened]
 
 # global permissions
-permissions: read-all
+permissions: {}
 
 jobs:
   run:
     runs-on: ubuntu-latest
     permissions:
       issues: write
       pull-requests: write
+      contents: read
     steps:
     - name: 'Auto-assign issue'
       uses: pozil/auto-assign-issue@v2

.github/workflows/checkov.yml

@@ -12,7 +12,7 @@ on:
   workflow_dispatch:
 
 # global permissions
-permissions: read-all
+permissions: {}
 
 # A workflow run is made up of one or more jobs that can run sequentially or in parallel
 jobs:

.github/workflows/github-pages.yml

@@ -6,7 +6,7 @@ on:
       - 'main'
 
 # global permissions
-permissions: read-all
+permissions: {}
 
 jobs:
   publish:

.github/workflows/markdownlint.yml

@@ -7,11 +7,13 @@ on:
   pull_request:
 
 # global permissions
-permissions: read-all
+permissions: {}
 
 jobs:
   lint:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
     - uses: actions/checkout@v4
     - uses: DavidAnson/markdownlint-cli2-action@v19