ci: use minimum sets of permission and pinned external workflow step actions (#21)

Author: zimeg

.github/workflows/changelog.yml

@@ -9,9 +9,10 @@ jobs:
       contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Check for logged changes
         run: |
           git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.sha }} | grep ^CHANGELOG.md$

.github/workflows/release.yml

@@ -13,20 +13,21 @@ jobs:
       packages: write
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
       - name: Install a flaked Nix
-        uses: DeterminateSystems/nix-installer-action@v17
+        uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
       - name: Publish artifacts
         run: |
           nix develop -c goreleaser release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Include documentation
         run: |
-          TAG="${{ github.ref_name }}"
           VERSION="${TAG#v}"
           gh release upload "$TAG" man/git-coverage.1#git-coverage_"$VERSION"_man.1
         env:
           GH_TOKEN: ${{ github.token }}
+          TAG: ${{ github.ref_name }}

.github/workflows/test.yml

@@ -11,16 +11,18 @@ jobs:
       contents: read
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install a flaked Nix
-        uses: DeterminateSystems/nix-installer-action@v17
+        uses: DeterminateSystems/nix-installer-action@21a544727d0c62386e78b4befe52d19ad12692e3 # v17
       - name: Run tests
         run: |
           shopt -s globstar
           nix develop -c zig fmt --check ./src/**/*.zig
           nix develop -c zig build test -Dcoverage
       - name: Upload reports
-        uses: codecov/codecov-action@v5.4.2
+        uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
         with:
           fail_ci_if_error: true
           token: ${{ secrets.CODECOV_TOKEN }}

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog][changelog], and this project adheres
 to [Semantic Versioning][semver].
 
+## [Unreleased]
+
+### Maintenance
+
+- Use minimum sets of permission and pinned external workflow step actions.
+
 ## [0.2.1] - 2025-05-13
 
 ### Fixed