SEC: several vulnerabilities detected with zizmor

[neutrinoceros]

This is a tracking issue

Since these workflows are widely used and even run automated package uploads (e.g. astropy-iers-data), it seems worth hardening their security as much as possible.

I intend to enable zizmor's pre-commit hook to continuously monitor vulnerabilities, but I need to fix existing ones first

linked PRs:

• SEC: address security issues detected with zizmor #363
• SEC: add cooldown period to dependabot settings #365
• SEC: avoid leaking credentials #366
• SEC: disable default gha permissions #367
• SEC: fix exploitable template-injection surface #368
• SEC: fix exploitable template-injection surface (1/n) #369
• SEC: fix exploitable template-injection surface (2/n) #370
• SEC/DEP: consistently use exact commit hashes for dependency pinning #371
• SEC: fix exploitable template-injection surface (3/n) #373
• SEC: setup zizmor's pre-commit hook #376
• SEC: disable default gha permissions (2/2) #377

[neutrinoceros]

Low hanging fruit season is over. Now comes the difficult part: zizmor still reports 57 findings, which broadly span over 2 audits:

• template-injection
• secrets-outside-env

The former seems tricky (maybe impossible) to fix: as mentionned in #373, I think shell expansion is really relied on where it's still used, so it cannot simply be avoided. Instead, inputs would need to be sanitized somehow.

The latter is possibly out-of-scope for reusable workflows (this is only an educated guess); I expect end users need to setup fences (github envs) and we cannot do it for them, nor can we enforce that they do (again, just guesses). From where I'm standing right now, it looks like the only course of action would be to better document the need for environments around publishing workflows. Though, encouraging users towards trusted publishing would naturally accomplish that goal as well as adress another vulnerability that lives in user repos: long lived PyPI tokens.

[Cadair]

I agree, we can't use envs or make people use envs, so I would consider the second one out of scope.

Can you open a PR with zizmor configured to pass as things currently are so we at least don't go backwards from our current state?