ci: pin action hashes and escape variables with minimum permission

[zimeg]

Summary

This PR uses the wonderful zizmor tool to audit our own workflows and pinact for pinned versioning 👾

Reviewers

A similar audit can be performed with the zizmor tool:

$ zizmor .
...
No findings to report. Good job! (1 ignored, 7 suppressed)

The suppressed findings are expected permission blocks at the top-level of a workflow, but we set this for each job.

Notes

Most changes I hope are repetitive, but I will comment on the more significant ones!

Requirements

• I've read and understood the Contributing Guidelines and have done my best effort to follow them.
• I've read and agree to the Code of Conduct.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 63.32%. Comparing base (7235111) to head (8a2d7af).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #100   +/-   ##
=======================================
  Coverage   63.32%   63.32%           
=======================================
  Files         211      211           
  Lines       22282    22282           
=======================================
  Hits        14110    14110           
  Misses       7085     7085           
  Partials     1087     1087           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[zimeg]

💌 Notes on reasons that certain lines were changed for the most curious and kind reviewers!

[zimeg]

Heh the comments above explain the reason we use pull_request_target here but this comment makes a hopeful assumption that zizmor can be added to pipelines for future audits 🤖 ✨

[zimeg]

🪓 In this file we do not need to checkout all things!

[zimeg]

🪓 In this file we do need to fetch tags from past commits. This might be a lot of commits, and this TODO can be deceiving...

[mwbrooks]

✅ LGTM! Thanks for helping to boost our security.

❓ I left one question around dependabot and how we want to handle its PRs going forward, but it's non-blocking to merging this one!

[mwbrooks]

note: Whoa, this is intense! I understand from a security point-of-view (pinning to a dash instead of a tag). Thanks for adding the comment!

question: How will dependabot handle this going forward? Will it try to use a tag?

[zimeg]

@mwbrooks I had the exact same questions! It's nice that we can keep this comment inline for somewhat reasonable understandings - I cannot remember hashes so well... 🔍

How will dependabot handle this going forward? Will it try to use a tag?

AFAICT tags from official releases will be used in these updates and the comment that follows will match. This should match the current updating events, but instead with commit details!

An example update has shown this to be alright and this blog post shared a few more detail 🎃

[mwbrooks]

praise: Clean! ✨

[zimeg]

📝 Quick note, I find this surprisingly more portable too!

I don't believe the handlebar notation is supported in bash, but I do know environment variables are 😉

[zimeg]

@mwbrooks Thanks for the quick and curious review! 🔏 ✨

Explorations with tags in this project has now made me warried of using these as immutable values... But we can guard against that with this change! I will merge this now.