Zizmor hardening (#66)

Author: Carreau

.github/dependabot.yml

@@ -7,6 +7,8 @@ updates:
     directory: "/" # Location of package manifests
     schedule:
       interval: "monthly"
+    cooldown:
+      default-days: 7
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
@@ -15,3 +17,5 @@ updates:
       actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7

.github/workflows/main.yml

@@ -6,6 +6,9 @@ on:
     - main
   pull_request:
 
+permissions:
+  contents: read
+
 defaults:
   run:
     shell: bash -l {0}
@@ -31,10 +34,12 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v5
+      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      with:
+        persist-credentials: false
 
     - name: Setup Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
 

.github/workflows/publish.yml

@@ -16,10 +16,12 @@ jobs:
     permissions:
       id-token: write
     steps:
-    - uses: actions/checkout@v5
-    
+    - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
+      with:
+        persist-credentials: false
+
     - name: Set up Python
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: '3.x'
     - name: Install dependencies
@@ -31,7 +33,7 @@ jobs:
     - name: Install built wheel
       run: pip install dist/*.whl
     - name: Echo current tag
-      run: echo ${{ github.ref }}
+      run: echo "$GITHUB_REF"
     - name: Get package version
       run: |
         export PACKAGE_VERSION=$(python -c 'import matplotlib_inline; print(matplotlib_inline.__version__)')