🩹[Patch]: Update GitHub Actions security and linting configuration (#36)

This update improves the security posture of GitHub Actions workflows by
addressing zizmor linting warnings. All action references are now pinned
to specific commit hashes, permissions follow the principle of least
privilege, and insecure workflow triggers have been replaced with safer
alternatives.

## Security improvements

### Pinned action references

All GitHub Actions are now pinned to specific commit SHA hashes instead
of mutable tags, preventing supply chain attacks:

- `actions/checkout` → `de0fac2e4500dabe0009e67214ff5f5447ce83dd`
(v6.0.2)
- `actions/upload-artifact` → `ea165f8d65b6e75b540449e92b4886f43607fa02`
(v4.6.2)
- `super-linter/super-linter` →
`d5b0a2ab116623730dd094f15ddc1b6b25bf7b99` (v8.3.2)
- `super-linter/super-linter/slim` →
`2bdd90ed3262e023ac84bf8fe35dc480721fc1f2` (v8.2.1)
- `PSModule/Auto-Release` → `eabd533035e2cb9822160f26f2eda584bd012356`
(v1.9.5)
- `PSModule/Install-PSModuleHelpers` →
`d60d63e4be477d1ca0c67c6085101fb109bce8f1` (v1.0.6)

### Workflow trigger security

Changed `pull_request_target` to `pull_request` in Auto-Release workflow
to prevent potential code injection attacks from forked repositories.

### Least privilege permissions

Moved `statuses: write` permission from workflow-level to job-level in
Action-Test workflow, applying it only to the `ActionTestDefault` job
that actually requires it for the linter.

### Credential persistence

Added `persist-credentials: false` to checkout steps to prevent
credential persistence in artifacts.

## Linting configuration

- Enabled `VALIDATE_GITHUB_ACTIONS_ZIZMOR` in Linter workflow
(previously disabled)
- Updated dependabot schedule to daily with 7-day cooldown for better
dependency management

Author: MariusStorhaug

.github/dependabot.yml

@@ -11,4 +11,6 @@ updates:
       - dependencies
       - github-actions
     schedule:
-      interval: weekly
+      interval: daily
+    cooldown:
+      default-days: 7

.github/workflows/Action-Test.yml

@@ -20,21 +20,20 @@ concurrency:
 
 permissions:
   contents: read # to checkout the repo
-  statuses: write # to create commit status
 
 jobs:
   UploadArtifact:
     name: Upload Artifact
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Upload module artifact
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: module
           path: tests/srcTestRepo/outputs/module
@@ -45,9 +44,12 @@ jobs:
     name: Action-Test - [Default]
     runs-on: ubuntu-latest
     needs: UploadArtifact
+    permissions:
+      contents: read
+      statuses: write # to create commit status from linter
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           fetch-depth: 0
@@ -59,7 +61,7 @@ jobs:
           WorkingDirectory: tests/srcTestRepo
 
       - name: Lint documentation
-        uses: super-linter/super-linter/slim@v8.2.1
+        uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
         env:
           GITHUB_TOKEN: ${{ github.token }}
           VALIDATE_MARKDOWN: true
@@ -73,12 +75,11 @@ jobs:
     needs: UploadArtifact
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           fetch-depth: 0
 
-
       - name: Action-Test
         uses: ./
         with:

.github/workflows/Auto-Release.yml

@@ -3,7 +3,7 @@ name: Auto-Release
 run-name: "Auto-Release - [${{ github.event.pull_request.title }} #${{ github.event.pull_request.number }}] by @${{ github.actor }}"
 
 on:
-  pull_request_target:
+  pull_request:
     branches:
       - main
     types:
@@ -26,7 +26,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Code
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Auto-Release
-        uses: PSModule/Auto-Release@v1
+        uses: PSModule/Auto-Release@eabd533035e2cb9822160f26f2eda584bd012356 # v1.9.5

.github/workflows/Linter.yml

@@ -19,17 +19,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout repo
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
           fetch-depth: 0
 
       - name: Lint code base
-        uses: super-linter/super-linter@latest
+        uses: super-linter/super-linter@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          VALIDATE_BIOME_FORMAT: false
           VALIDATE_JSON_PRETTIER: false
           VALIDATE_MARKDOWN_PRETTIER: false
           VALIDATE_YAML_PRETTIER: false
-          VALIDATE_BIOME_FORMAT: false
-          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false

action.yml

@@ -19,7 +19,7 @@ runs:
   using: composite
   steps:
     - name: Install-PSModuleHelpers
-      uses: PSModule/Install-PSModuleHelpers@v1
+      uses: PSModule/Install-PSModuleHelpers@d60d63e4be477d1ca0c67c6085101fb109bce8f1 # v1.0.6
 
     - name: Document-PSModule
       shell: pwsh