ci: address security findings (#389)

* ci: address security findings

Signed-off-by: William Woodruff <[email protected]>

* ci: use runner's stable Rust toolchain

Or, where nightly is required, bootstrap it through rustup directly.

Signed-off-by: William Woodruff <[email protected]>

---------

Signed-off-by: William Woodruff <[email protected]>

Author: woodruffw

.github/workflows/benchmarks.yml

@@ -7,12 +7,17 @@ on:
   pull_request:
   workflow_dispatch:
 
+permissions: {}
+
 jobs:
   benchmarks:
     name: Run benchmarks
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+        with:
+          persist-credentials: false
+
       - name: Setup rust toolchain, cache and cargo-codspeed binary
         uses: moonrepo/setup-rust@ede6de059f8046a5e236c94046823e2af11ca670 # v1
         with:

.github/workflows/cargo_publish_dry_run.yml

@@ -3,20 +3,22 @@
 name: Check crate publishing works
 on:
   pull_request:
-    branches: [ release ]
+    branches: [release]
   workflow_dispatch:
 
 env:
   CARGO_TERM_COLOR: always
 
+permissions: {}
+
 jobs:
   cargo_publish_dry_run:
     name: Publishing works
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - name: Install stable Rust
-        uses: dtolnay/rust-toolchain@stable
+        with:
+          persist-credentials: false
 
       - name: Get Cargo version
         id: cargo_version

.github/workflows/ci.yml

@@ -3,8 +3,10 @@ on:
   pull_request:
   merge_group:
   push:
-    branches: [ release, dev ]
-  schedule: [ cron: "0 6 * * 4" ]
+    branches: [release, dev]
+  schedule: [cron: "0 6 * * 4"]
+
+permissions: {}
 
 env:
   CARGO_TERM_COLOR: always
@@ -15,18 +17,21 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: dtolnay/rust-toolchain@stable
+        with:
+          persist-credentials: false
+
       - run: cargo build --workspace
+
       - run: cargo test --all-features --workspace
 
   clippy:
     name: Clippy
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: dtolnay/rust-toolchain@stable
         with:
-          components: clippy
+          persist-credentials: false
+
       - name: Check Clippy lints
         env:
           RUSTFLAGS: -D warnings
@@ -37,17 +42,19 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: dtolnay/rust-toolchain@stable
         with:
-          components: rustfmt
+          persist-credentials: false
+
       - run: cargo fmt --all -- --check
 
   check_documentation:
     name: Docs
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: dtolnay/rust-toolchain@stable
+        with:
+          persist-credentials: false
+
       - name: Check documentation
         env:
           RUSTDOCFLAGS: -D warnings
@@ -58,7 +65,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: dtolnay/rust-toolchain@nightly
+        with:
+          persist-credentials: false
+
+      - run: rustup toolchain install nightly
+
       - run: cargo +nightly update -Zminimal-versions
+
       - run: cargo +nightly build --workspace
+
       - run: cargo +nightly test --all-features --workspace

.github/workflows/deploy_documentation.yml

@@ -3,18 +3,23 @@
 name: Deploy documentation
 on:
   push:
-    branches: [ dev ]
+    branches: [dev]
   workflow_dispatch:
 
+permissions: {}
+
 env:
   CARGO_TERM_COLOR: always
 
 jobs:
   deploy_documentation:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # for peaceiris/actions-gh-pages
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
-      - uses: dtolnay/rust-toolchain@stable
+        with:
+          persist-credentials: false
 
       - name: Build documentation
         run: cargo doc --no-deps