Address zizmor lint violations

.github/workflows/audit.yaml

@@ -9,6 +9,7 @@ name: Audit
       - trunk
   schedule:
     - cron: "0 0 * * TUE"
+permissions: {}
 jobs:
   ruby:
     name: Audit Ruby Dependencies
@@ -17,6 +18,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Install Ruby toolchain
         uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0

.github/workflows/block-merge.yaml

@@ -3,10 +3,14 @@ name: Merge
 "on":
   pull_request:
     types: [opened, labeled, unlabeled, synchronize]
+permissions: {}
 jobs:
   labels:
     name: Labels
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
 
     steps:
       - uses: mheap/github-action-required-labels@388fd6af37b34cdfe5a23b37060e763217e58b03 # v5.5

.github/workflows/ci.yaml

@@ -9,6 +9,7 @@ name: CI
       - trunk
   schedule:
     - cron: "0 0 * * TUE"
+permissions: {}
 jobs:
   test:
     name: Test
@@ -33,6 +34,7 @@ jobs:
         uses: actions/[email protected]
         with:
           path: generate_third_party_action
+          persist-credentials: false
 
       - name: Generate THIRDPARTY license listing
         id: generate_third_party
@@ -56,12 +58,15 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Clone Artichoke
         uses: actions/[email protected]
         with:
           repository: artichoke/artichoke
           path: "artichoke"
+          persist-credentials: false
 
       - name: Install Ruby toolchain
         uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0
@@ -112,6 +117,7 @@ jobs:
         uses: actions/[email protected]
         with:
           path: generate_third_party_action
+          persist-credentials: false
 
       - name: Generate THIRDPARTY license listing
         id: generate_third_party
@@ -135,6 +141,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Install Ruby toolchain
         uses: ruby/setup-ruby@2654679fe7f7c29875c669398a8ec0791b8a64a1 # v1.215.0
@@ -156,6 +164,8 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js runtime
         uses: actions/[email protected]

.github/workflows/repo-labels.yaml

@@ -15,12 +15,18 @@
   schedule:
     - cron: "0 0 * * TUE"
 name: Create Repository Labels
+permissions: {}
 jobs:
   labels:
     name: Synchronize repository labels
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      issues: write
     steps:
       - uses: actions/[email protected]
+        with:
+          persist-credentials: false
 
       - name: Sync GitHub Issue Labels
         uses: crazy-max/ghaction-github-labeler@b54af0c25861143e7c8813d7cbbf46d2c341680c # v5.1.0

action.yaml

@@ -8,17 +8,17 @@ branding:
 
 inputs:
   artichoke_ref:
+    description: Git ref to checkout in artichoke/artichoke repository.
     required: true
-    type: string
   target_triple:
+    description: LLVM target triple used to select platform-specific dependencies.
     required: true
-    type: string
   output_file:
+    description: Path to output file.
     required: true
-    type: string
   github_token:
+    description: Github token from Actions environment.
     required: true
-    type: string
 
 runs:
   using: "composite"
@@ -37,12 +37,14 @@ runs:
       shell: bash
       id: paths
       run: |
-        temp_prefix="${{ github.workspace }}/${{ github.action }}-${{ github.run_id }}-${{ github.run_attempt }}"
-        mkdir -p "$temp_prefix"
-        artichoke_repository_path="${temp_prefix}/artichoke@${{ inputs.artichoke_ref }}"
-        echo "CLEANUP_PATH=${temp_prefix}" >> "$GITHUB_OUTPUT"
+        mkdir -p "$TEMP_PREFIX"
+        artichoke_repository_path="${TEMP_PREFIX}/artichoke@${ARTICHOKE_REF}"
+        echo "CLEANUP_PATH=${TEMP_PREFIX}" >> "$GITHUB_OUTPUT"
         echo "ARTICHOKE_REPOSITORY_PATH=${artichoke_repository_path}" >> "$GITHUB_OUTPUT"
         echo "CARGO_MANIFEST_PATH=${artichoke_repository_path}/Cargo.toml" >> "$GITHUB_OUTPUT"
+      env:
+        TEMP_PREFIX: ${{ github.workspace }}/${{ github.action }}-${{ github.run_id }}-${{ github.run_attempt }}
+        ARTICHOKE_REF: ${{ inputs.artichoke_ref }}
 
     - name: Clone Artichoke
       uses: actions/[email protected]
@@ -79,13 +81,15 @@ runs:
     - name: Generate THIRDPARTY
       shell: bash
       run: |
-        generate-third-party-text-file-single-target \
-          --target "${{ inputs.target_triple }}" \
-          "${{ steps.paths.outputs.CARGO_MANIFEST_PATH }}" \
-          > "${{ inputs.output_file }}"
+        generate-third-party-text-file-single-target --target "$TARGET_TRIPLE" "$CARGO_MANIFEST_PATH" > "$OUTPUT_FILE"
       env:
         RUST_TOOLCHAIN: stable
+        TARGET_TRIPLE: ${{ inputs.target_triple }}
+        CARGO_MANIFEST_PATH: ${{ steps.paths.outputs.CARGO_MANIFEST_PATH }}
+        OUTPUT_FILE: ${{ inputs.output_file }}
 
     - name: Cleanup
       shell: bash
-      run: rm -rf "${{ steps.paths.outputs.CLEANUP_PATH }}"
+      run: rm -rf "$CLEANUP_PATH"
+      env:
+        CLEANUP_PATH: ${{ steps.paths.outputs.CLEANUP_PATH }}