ci: ratchet down permissions, pin all actions

[woodruffw]

zizmor flagged these while I was doing #2443 🙂

This fixes a handful of mostly minor security issues in the workflows/Dependabot configurations used in this repo. Namely:

• All actions are now fully hash-pinned, to make runs more hermetic/make it impossible for an external tag overwrite to modify CI behavior here.
• All actions/checkout usage now either explicitly disables credential persistence or explicitly enables it if the job previously implicitly required it (e.g. for git push).
• All workflows now drop their default permissions to the empty set (permissions: {}), and only give each internal job the specific permissions its needs.
• Dependabot now includes a cooldown on its updates (of 7 days), making it harder for an opportunistic compromise of an action dependency to impact this repo (since it'd need to survive in the wild for longer).

Hopefully these changes are welcome! If not, please feel free to close this.

[tarcieri]

@woodruffw these changes are welcome but https://github.com/rustsec/rustsec is probably the more important repo as it contains the actual source code, whereas this repo is largely a bunch of TOML files

[woodruffw]

@woodruffw these changes are welcome but rustsec/rustsec is probably the more important repo as it contains the actual source code, whereas this repo is largely a bunch of TOML files

Cool, I can follow up there as well!

[djc]

It looks like this has broken the ID assigner:

Pushing pull request branch to 'origin/assign-ids'
  /usr/bin/git push --force-with-lease origin assign-ids:refs/heads/assign-ids
  remote: Permission to rustsec/advisory-db.git denied to github-actions[bot].
  fatal: unable to access 'https://github.com/rustsec/advisory-db/': The requested URL returned error: 403
  Error: The process '/usr/bin/git' failed with exit code 128

[woodruffw]

It looks like this has broken the ID assigner:

Pushing pull request branch to 'origin/assign-ids'

  /usr/bin/git push --force-with-lease origin assign-ids:refs/heads/assign-ids

  remote: Permission to rustsec/advisory-db.git denied to github-actions[bot].

  fatal: unable to access 'https://github.com/rustsec/advisory-db/': The requested URL returned error: 403

  Error: The process '/usr/bin/git' failed with exit code 128

Hmm, it probably needs a combination of persist-credentials: true and the contents: write permission within that job. Sorry about that, GHA makes it hard to see these kinds of permission dependencies until they actually fail.

I can send a patch for that in a moment.

[woodruffw]

#2448 has the fix.