chore(ci): address overly broad permissions scopes

[miketheman]

• inform checkout to not persist credentials
• move permissions from workflow to job scope

Thanks, Dr. Zizmor!
Refs: https://github.com/woodruffw/zizmor

[woodruffw]

LGTM! 🌈

[ewdurbin]

looks like excellent best practices work. assuming this was based on the output of a tool, can the tool be included in our linting to make sure we don’t regress and that new workflows and permissions are similarly well scoped?

[woodruffw]

looks like excellent best practices work. assuming this was based on the output of a tool, can the tool be included in our linting to make sure we don’t regress and that new workflows and permissions are similarly well scoped?

Yep! The easiest thing to do might be to copy this workflow, which uses the current SARIF support to integrate zizmor's results directly into GitHub's security tool/reporting infrastructure: https://github.com/woodruffw/zizmor/blob/main/.github/workflows/zizmor.yml

(The other option would be to just run zizmor in CI, and manually triage the results it produces.)

[woodruffw]

For ref, this is what the SARIF integration looks like (it's currently barebones, but will get better over time):

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[miketheman]

can the tool be included in our linting to make sure we don’t regress and that new workflows and permissions are similarly well scoped?

Done in 311777b