ci: audit workflows with zizmor

Author: link2xt

.github/workflows/ci.yml

@@ -16,6 +16,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 env:
   RUSTFLAGS: -Dwarnings
 
@@ -29,6 +31,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Install rustfmt and clippy
         run: rustup toolchain install $RUSTUP_TOOLCHAIN --profile minimal --component rustfmt --component clippy
       - name: Cache rust cargo artifacts
@@ -49,6 +52,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Rebuild constants
         run: npm run build:core:constants
       - name: Check that constants are not changed
@@ -61,6 +65,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: EmbarkStudios/cargo-deny-action@v2
         with:
           arguments: --all-features --workspace
@@ -74,6 +79,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Check provider database
         run: scripts/update-provider-database.sh
 
@@ -86,6 +92,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Cache rust cargo artifacts
         uses: swatinem/rust-cache@v2
       - name: Rustdoc
@@ -111,6 +118,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Install Rust ${{ matrix.rust }}
         run: rustup toolchain install --profile minimal ${{ matrix.rust }}
@@ -147,6 +155,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Cache rust cargo artifacts
         uses: swatinem/rust-cache@v2
@@ -171,6 +180,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Cache rust cargo artifacts
         uses: swatinem/rust-cache@v2
@@ -192,6 +202,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Install tox
         run: pip install tox
@@ -234,6 +245,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Download libdeltachat.a
         uses: actions/download-artifact@v4
@@ -286,6 +298,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Install python
         uses: actions/setup-python@v5

.github/workflows/deltachat-rpc-server.yml

@@ -17,6 +17,8 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   # Build a version statically linked against musl libc
   # to avoid problems with glibc version incompatibility.
@@ -31,6 +33,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
@@ -55,6 +58,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
@@ -80,6 +84,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Setup rust target
         run: rustup target add ${{ matrix.arch }}-apple-darwin
@@ -105,6 +110,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
@@ -132,6 +138,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
 
@@ -258,8 +265,9 @@ jobs:
         if: github.event_name == 'release'
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          gh release upload ${{ github.ref_name }} \
+          gh release upload "$REF_NAME" \
             --repo ${{ github.repository }} \
             bin/* dist/*
 
@@ -280,6 +288,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: actions/setup-python@v5
         with:
           python-version: "3.11"
@@ -385,8 +394,9 @@ jobs:
         if: github.event_name == 'release'
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          gh release upload ${{ github.ref_name }} \
+          gh release upload "$REF_NAME" \
             --repo ${{ github.repository }} \
             deltachat-rpc-server/npm-package/*.tgz
 

.github/workflows/jsonrpc-client-npm-package.yml

@@ -4,6 +4,8 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   pack-module:
     name: "Publish @deltachat/jsonrpc-client"
@@ -15,6 +17,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - uses: actions/setup-node@v4
         with:

.github/workflows/jsonrpc.yml

@@ -6,6 +6,8 @@ on:
   pull_request:
     branches: [main]
 
+permissions: {}
+
 env:
   CARGO_TERM_COLOR: always
   RUST_MIN_STACK: "8388608"
@@ -17,6 +19,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Use Node.js 18.x
         uses: actions/setup-node@v4
         with:

.github/workflows/nix.yml

@@ -12,6 +12,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   format:
     name: check flake formatting
@@ -20,6 +22,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: nix fmt
@@ -80,6 +83,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: nix build .#${{ matrix.installable }}
@@ -99,6 +103,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - run: nix build .#${{ matrix.installable }}

.github/workflows/node-docs.yml

@@ -10,13 +10,16 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   generate:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
 
       - name: Use Node.js 18.x
         uses: actions/setup-node@v4

.github/workflows/node-package.yml

@@ -6,6 +6,8 @@ on:
       - "*"
       - "!py-*"
 
+permissions: {}
+
 jobs:
   prebuild:
     name: Prebuild
@@ -17,6 +19,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: "18"
@@ -78,6 +81,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: "18"
@@ -142,6 +146,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: "18"

.github/workflows/node-tests.yml

@@ -15,6 +15,8 @@ on:
     branches:
       - main
 
+permissions: {}
+
 jobs:
   tests:
     name: Tests
@@ -26,6 +28,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: "18"

.github/workflows/publish-deltachat-rpc-client-pypi.yml

@@ -5,6 +5,8 @@ on:
   release:
     types: [published]
 
+permissions: {}
+
 jobs:
   build:
     name: Build distribution
@@ -14,6 +16,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Install pypa/build
         run: python3 -m pip install build
       - name: Build a binary wheel and a source tarball

.github/workflows/repl.yml

@@ -7,6 +7,8 @@ name: Build Windows REPL .exe
 on:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   build_repl:
     name: Build REPL example
@@ -15,6 +17,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
       - name: Build

.github/workflows/upload-docs.yml

@@ -6,6 +6,8 @@ on:
       - main
       - build_jsonrpc_docs_ci
 
+permissions: {}
+
 jobs:
   build-rs:
     runs-on: ubuntu-latest
@@ -14,6 +16,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
       - name: Build the documentation with cargo
         run: |
           cargo doc --package deltachat --no-deps --document-private-items
@@ -31,6 +34,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
           fetch-depth: 0 # Fetch history to calculate VCS version number.
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -50,6 +54,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
           fetch-depth: 0 # Fetch history to calculate VCS version number.
       - uses: DeterminateSystems/nix-installer-action@main
       - uses: DeterminateSystems/magic-nix-cache-action@main
@@ -72,6 +77,7 @@ jobs:
       - uses: actions/checkout@v4
         with:
           show-progress: false
+          persist-credentials: false
           fetch-depth: 0 # Fetch history to calculate VCS version number.
       - name: Use Node.js
         uses: actions/setup-node@v4