[StepSecurity] ci: Harden GitHub Actions (#47)

Signed-off-by: StepSecurity Bot <[email protected]>

Author: step-security-bot

.github/workflows/_lint.yml

@@ -3,12 +3,15 @@ name: _lint
 on:
   workflow_call:
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: 🧹 lint yaml
-        uses: ibiqlik/action-yamllint@v3
+        uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3.1.1
         with:
           config_file: ".yamllint.yml"

.github/workflows/_stale.yml

@@ -20,12 +20,15 @@ on:
         required: false
         default: "keep"
 
+permissions:
+  contents: read
+
 jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
       - name: 📆 mark stale activity
-        uses: actions/stale@v9
+        uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           repo-token: ${{ secrets.BLOOMBERG_OSS_USER_TOKEN_READ }}
           days-before-stale: ${{ inputs.days-until-stale }}

.github/workflows/stale-issue.yml

@@ -5,6 +5,9 @@ on:
     - cron: "0 0 * * 0"
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   mark-stale:
     uses: ./.github/workflows/_stale.yml