Zizmor fixes

.github/workflows/deploy.yml

@@ -6,30 +6,44 @@ on:
     branches:
       - master
 
+# Limit concurrent workflow runs to prevent resource conflicts and ensure clean deployments
+concurrency:
+  group: pages
+  cancel-in-progress: false
+
+# Default permissions for all jobs - minimal access
+permissions: {}
+
 jobs:
   build:
+    name: Build site
     env:
       MDBOOK_VERSION: 0.5.1
       RUN_BLACKSMITH: 1
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
+      # Checkout repository without persisting credentials to reduce attack surface
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Install mdbook
         run: curl -sSL https://github.com/rust-lang/mdBook/releases/download/v${MDBOOK_VERSION}/mdbook-v${MDBOOK_VERSION}-x86_64-unknown-linux-gnu.tar.gz | tar -xz
       - name: Build book
         run: ./mdbook build
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v4
+        uses: actions/upload-pages-artifact@fc324d3547104276b827a68afc52ff2a11cc49c9  # v5
         with:
           path: ./book/html
 
   deploy:
+    name: Deploy to GitHub Pages
     if: github.repository_owner == 'rust-lang'
     needs: build
 
+    # Required permissions for GitHub Pages deployment
     permissions:
-      pages: write
-      id-token: write
+      pages: write  # Required to deploy to GitHub Pages
+      id-token: write  # Required for OIDC authentication with GitHub Pages service
 
     environment:
       name: github-pages
@@ -38,4 +52,4 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@cd2ce8fcbc39b97be8ca5fce6e763baed58fa128  # v5

.github/workflows/test.yml

@@ -2,6 +2,15 @@ name: Test
 on:
   pull_request:
 
+# Cancel in-progress runs for the same PR to save resources
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+# Minimal permissions for testing
+permissions:
+  contents: read
+
 jobs:
   test:
     name: test
@@ -11,7 +20,10 @@ jobs:
       MDBOOK_OUTPUT__LINKCHECK__WARNING_POLICY: error
       RUN_BLACKSMITH: 1
     steps:
-      - uses: actions/checkout@v4
+      # Checkout repository without persisting credentials to reduce attack surface
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
       - name: Install mdbook
         run: curl -sSL https://github.com/rust-lang/mdBook/releases/download/v${MDBOOK_VERSION}/mdbook-v${MDBOOK_VERSION}-x86_64-unknown-linux-gnu.tar.gz | tar -xz
       - name: Install mdbook-linkcheck2

.github/workflows/zizmor.yml

@@ -0,0 +1,39 @@
+name: Security Audit with zizmor
+
+on:
+  push:
+    branches: [master]
+    paths:
+      - '.github/workflows/**'
+  pull_request:
+    branches: [master]
+    paths:
+      - '.github/workflows/**'
+
+# Cancel in-progress runs for the same PR to save resources
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+# Minimal permissions for auditing
+permissions:
+  contents: read
+
+jobs:
+  zizmor:
+    name: Run zizmor security audit
+    runs-on: ubuntu-latest
+    steps:
+      # Checkout repository without persisting credentials to reduce attack surface
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6
+        with:
+          persist-credentials: false
+
+      - name: Install zizmor
+        run: |
+          curl -sSL https://github.com/woodruffw/zizmor/releases/download/v1.24.1/zizmor-x86_64-unknown-linux-gnu.tar.gz | tar -xz
+          chmod +x zizmor
+          sudo mv zizmor /usr/local/bin/
+
+      - name: Run zizmor audit
+        run: zizmor --persona pedantic --min-severity low .github/workflows