Harden GitHub workflows

.github/dependabot.yml

@@ -0,0 +1,11 @@
+version: 2
+updates:
+  # Maintain dependencies for GitHub Actions.
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    cooldown:
+      default-days: 7
+    ignore:
+      - dependency-name: "yiisoft/*"

.github/workflows/docs.yml

@@ -8,14 +8,19 @@
 
 permissions:
   contents: read
-  checks: write
 
 jobs:
   build:
+    permissions:
+      checks: write
+      contents: read
+
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          persist-credentials: false
 
       - name: Fetch styles
         run: |
@@ -24,7 +29,7 @@
           unzip Microsoft.zip -d .github/styles
 
       - name: Check
-        uses: errata-ai/vale-action@reviewdog
+        uses: errata-ai/vale-action@85f9f7f2c5f449ac0ae5b66662961bae3f77ca6a
         with:
           reporter: github-check
           fail_on_error: false
@@ -33,24 +38,25 @@
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
   links:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Find files to check
         id: links
         shell: bash
         run: |
           if [ "${{ github.event_name }}" = "pull_request" ]; then
             git diff --name-status --diff-filter=ACMRTD "${{ github.event.pull_request.base.sha }}...HEAD" > changed-files.txt
           elif [ "${{ github.event.before }}" = "0000000000000000000000000000000000000000" ]; then
             git diff-tree --root --no-commit-id --name-status -r "${{ github.sha }}" > changed-files.txt
           else
             git diff --name-status --diff-filter=ACMRTD "${{ github.event.before }}..${{ github.sha }}" > changed-files.txt
           fi
 
           check_all=false
@@ -82,7 +88,7 @@
 
       - name: Setup Node.js
         if: steps.links.outputs.count != '0'
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: 22
           cache: npm

.github/workflows/github-pages.yml

@@ -8,22 +8,22 @@
 
 permissions:
   contents: read
-  pages: write
-  id-token: write
 
 concurrency:
   group: "pages"
   cancel-in-progress: false
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10
+        with:
+          persist-credentials: false
 
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020
         with:
           node-version: 22
           cache: npm
@@ -35,12 +35,16 @@
         run: npm run build
 
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@7b1f4a764d45c48632c6b24a0339c27f5614fb0b
         with:
           path: src/.vitepress/dist
 
   deploy:
     if: ${{ github.event_name == 'push' || github.event_name == 'workflow_dispatch' }}
+    permissions:
+      pages: write
+      id-token: write
+
     environment:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
@@ -49,4 +53,4 @@
     steps:
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e

.github/workflows/translate.yml

@@ -1,7 +1,7 @@
 name: Update translations
 
 on:
-  pull_request_target:
+  pull_request:
     paths:
       - '_translations/**'
   push:
@@ -10,31 +10,39 @@
       - '_translations/**'
       - 'src/**'
 
+permissions:
+  contents: write
 jobs:
   update-docs:
     name: Update docs
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
         with:
           token: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }}
           ref: ${{ github.head_ref }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
+          persist-credentials: false
 
       - name: Prepare po4a configuration
         run: _translations/prepare-config.sh
 
       - name: Use po4a
-        uses: vjik/docker-run@v1
+        uses: vjik/docker-run@623c9adf6ee99fc8f9fa4e3b0b6b0c25859b69ee
         with:
           image: ghcr.io/yiisoft-contrib/po4a:0.74
           volumes: ${{ github.workspace }}:/src
           workdir: /src/_translations
           command: po4a po4a.conf && po4a po4a.conf
 
+      - name: Configure Git credentials
+        env:
+          GH_TOKEN: ${{ secrets.YIISOFT_GITHUB_TOKEN || github.token }}
+        run: git config --global credential.helper '!f() { echo username=x-access-token; echo password=$GH_TOKEN; }; f'
+
       - name: Commit changed files
-        uses: stefanzweifel/git-auto-commit-action@v5
+        uses: stefanzweifel/git-auto-commit-action@b863ae1933cb653a53c021fe36dbb774e1fb9403
         with:
           commit_message: Update translation
           file_pattern: '_translations src'

.github/workflows/zizmor.yml

@@ -0,0 +1,22 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches:
+      - master
+      - main
+    paths:
+      - '.github/**.yml'
+      - '.github/**.yaml'
+  pull_request:
+    paths:
+      - '.github/**.yml'
+      - '.github/**.yaml'
+
+permissions:
+  actions: read # Required by zizmor when reading workflow metadata through the API.
+  contents: read # Required to read workflow files.
+
+jobs:
+  zizmor:
+    uses: yiisoft/actions/.github/workflows/zizmor.yml@master