ci: apply zizmor recommendations

.github/dependabot.yml

@@ -11,7 +11,7 @@ updates:
     commit-message:
       prefix: chore
     cooldown:
-      default-days: 3
+      default-days: 7
     open-pull-requests-limit: 10
   - package-ecosystem: npm
     directory: '/'
@@ -25,7 +25,7 @@ updates:
     commit-message:
       prefix: chore
     cooldown:
-      default-days: 3
+      default-days: 7
     groups:
       format:
         patterns:

.github/workflows/build-directory-cache.yaml

@@ -3,6 +3,9 @@ name: Build Directory Cache
 on:
   workflow_dispatch:
 
+permissions:
+  contents: write # needed by stefanzweifel/git-auto-commit-action
+
 jobs:
   build-directory-cache:
     name: Build Directory Cache
@@ -15,6 +18,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true # needed by stefanzweifel/git-auto-commit-action
 
       - name: Cache Dependencies
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5

.github/workflows/codeql.yml

@@ -20,20 +20,19 @@ on:
     # Once a week
     - cron: '41 12 * * 4'
 
+permissions:
+  # required for all workflows
+  security-events: write
+  # required to fetch internal or private CodeQL packs
+  packages: read
+  # only required for workflows in private repositories
+  actions: read
+  contents: read
+
 jobs:
   analyze:
     name: Analyze (javascript-typescript)
     runs-on: 'ubuntu-latest'
-    permissions:
-      # required for all workflows
-      security-events: write
-
-      # required to fetch internal or private CodeQL packs
-      packages: read
-
-      # only required for workflows in private repositories
-      actions: read
-      contents: read
 
     strategy:
       fail-fast: false
@@ -50,6 +49,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2

.github/workflows/dependency-review.yml

@@ -12,6 +12,8 @@ jobs:
     steps:
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Dependency Review
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0

.github/workflows/deploy.yml

@@ -6,6 +6,9 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   deploy:
     name: Deploy Cloudflare Worker
@@ -29,6 +32,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0

.github/workflows/format.yml

@@ -10,6 +10,9 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     name: Check Linting and Formatting
@@ -29,6 +32,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0

.github/workflows/test.yml

@@ -33,6 +33,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Setup Node
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0

.github/workflows/update-links.yml

@@ -1,7 +1,7 @@
 name: Update Redirect Links
 
 permissions:
-  contents: write
+  contents: write # needed by stefanzweifel/git-auto-commit-action
 
 on:
   # Triggered by https://github.com/nodejs/node/blob/main/.github/workflows/update-release-links.yml
@@ -36,6 +36,8 @@ jobs:
 
       - name: Git Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true # needed by stefanzweifel/git-auto-commit-action
 
       - name: Cache Dependencies
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5

.github/workflows/zizmor.yaml

@@ -0,0 +1,24 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: main
+  pull_request:
+    branches: main
+
+permissions:
+  security-events: write
+  contents: read
+  actions: read
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3