ci: apply zizmor suggestions

.github/dependabot.yml

@@ -11,4 +11,4 @@ updates:
       - "github_actions"
       - "auto-merge"
     cooldown:
-      default-days: 3
+      default-days: 7

.github/workflows/auto-merge.yml

@@ -13,14 +13,17 @@ jobs:
   auto-merge:
     if: github.repository == 'nodejs/web-team'
     runs-on: ubuntu-latest
-    
+
     steps:
       - name: Harden Runner
         uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true
+
       - uses: ./actions/auto-merge-prs
         with:
           merge-method: queue

.github/workflows/codeql.yml

@@ -48,6 +48,8 @@ jobs:
 
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL

.github/workflows/dependency-review.yml

@@ -13,6 +13,8 @@ jobs:
     steps:
       - name: "Checkout Repository"
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: "Dependency Review"
         uses: actions/dependency-review-action@2031cfc080254a8a887f58cffee85186f0e49e48 # v4.9.0

.github/workflows/inactive-collaborator-report.yml

@@ -22,6 +22,8 @@ jobs:
           egress-policy: audit
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: true
 
       - name: Report inactive collaborators
         id: inactive

.github/workflows/notify-on-push.yml

@@ -16,6 +16,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
       - uses: ./actions/notify-on-push
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK }}

.github/workflows/zizmor.yml

@@ -0,0 +1,32 @@
+name: Zizmor
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  zizmor:
+    name: Zizmor Security Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@b1d7e1fb5de872772f31590499237e7cce841e8e # v0.5.3

actions/setup-environment/action.yml

@@ -45,6 +45,7 @@ runs:
     - name: Checkout repository
       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
+        persist-credentials: false
         ref: ${{ inputs.ref }}
         fetch-depth: ${{ inputs.fetch-depth }}
         token: ${{ inputs.token }}
@@ -72,9 +73,9 @@ runs:
     - name: Install dependencies with pnpm
       if: inputs.pnpm == 'true'
       shell: bash
-      run: pnpm install --frozen-lockfile ${{ inputs.install-flags }}
+      run: pnpm install --frozen-lockfile ${{ inputs.install-flags }} # zizmor: ignore[template-injection] intentional
 
     - name: Install dependencies with npm
       if: inputs.pnpm != 'true'
       shell: bash
-      run: npm ci ${{ inputs.install-flags }}
+      run: npm ci ${{ inputs.install-flags }} # zizmor: ignore[template-injection] intentional