SEC: several vulnerabilities detected with zizmor #364
Description
This is a tracking issue
Since these workflows are widely used and even run automated package uploads (e.g. astropy-iers-data), it seems worth hardening their security as much as possible.
I intend to enable zizmor's pre-commit hook to continuously monitor vulnerabilities, but I need to fix existing ones first
linked PRs:
- SEC: address security issues detected with zizmor #363
- SEC: add cooldown period to dependabot settings #365
- SEC: avoid leaking credentials #366
- SEC: disable default gha permissions #367
- SEC: fix exploitable template-injection surface #368
- SEC: fix exploitable template-injection surface (1/n) #369
- SEC: fix exploitable template-injection surface (2/n) #370
- SEC/DEP: consistently use exact commit hashes for dependency pinning #371
- SEC: fix exploitable template-injection surface (3/n) #373