fix gh actions

.github/workflows/acceptance-tests.yml

@@ -3,12 +3,17 @@ name: Acceptance Tests
 
 on: [pull_request]
 
+permissions: {}
+
 jobs:
   acceptance-tests:
+    permissions: {}
     runs-on: ubuntu-24.04
     steps:
       - name: Check out
-        uses: actions/checkout@v4
-      - uses: jdx/mise-action@v2
+        with:
+          persist-credentials: false
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
       - name: Run acceptance tests
         run: ./scripts/run-acceptance-tests.sh ${{ github.event.pull_request.head.sha }}

.github/workflows/ghcr-image-build-and-publish.yml

@@ -28,13 +28,15 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4.2.2
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       # Login against a Docker registry except on PR
       # https://github.com/docker/login-action
       - name: Log into registry ${{ env.REGISTRY }}
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3.4.0
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
@@ -44,14 +46,14 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@v5.7.0
+        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # v5.7.0
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
 
       # Build and push Docker image with Buildx (don't push on PR)
       # https://github.com/docker/build-push-action
       - name: Build and push Docker image
-        uses: docker/build-push-action@v6.16.0
+        uses: docker/build-push-action@14487ce63c7a62a4a324b0bfb37086795e31c6c1 # v6.16.0
         with:
           context: docker/
           push: ${{ github.event_name != 'pull_request' }}

.github/workflows/lint-rest.yml

@@ -0,0 +1,19 @@
+---
+name: Acceptance Tests
+
+on: [pull_request]
+
+permissions: {}
+
+jobs:
+  acceptance-tests:
+    permissions: {}
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out
+        with:
+          persist-credentials: false
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: jdx/mise-action@7a111ead46986ccad89a74ad013ba2a7c08c9e67 # v2.1.1
+      - name: Lint
+        run: mise run lint-rest

.github/workflows/release.yml

@@ -16,10 +16,12 @@ jobs:
 
     steps:
       - id: checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
 
       - id: push-to-dockerhub
-        uses: grafana/shared-workflows/actions/build-push-to-dockerhub@main
+        uses: grafana/shared-workflows/actions/build-push-to-dockerhub@402975d84dd3fac9ba690f994f412d0ee2f51cf4 # v0.1.1
         with:
           repository: grafana/otel-lgtm
           context: docker

.github/workflows/renovate.yml

@@ -14,6 +14,8 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Checkout Code
+        with:
+          persist-credentials: false
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
 
       - name: retrieve secrets

.github/workflows/super-linter.yml

@@ -16,15 +16,16 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
+          persist-credentials: false
           fetch-depth: 0
 
       - name: Load super-linter configuration
         run: grep -v '^#' .github/super-linter.env | grep -v 'FIX_' >> "$GITHUB_ENV"
 
       - name: Super-linter
-        uses: super-linter/super-linter@v7.3.0
+        uses: super-linter/super-linter@4e8a7c2bf106c4c766c816b35ec612638dc9b6b2 # v7.3.0
         env:
           # To report GitHub Actions status checks
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

mise.toml

@@ -1,4 +1,5 @@
 [tools]
+"cargo:zizmor" = "latest"
 go = "latest"
 "go:github.com/grafana/oats" = "latest"
 java = "temurin-21.0.7+6.0.LTS"
@@ -14,9 +15,16 @@ run = "markdownlint-cli2 --fix ."
 [tasks.lint-links]
 run = "lychee --cache --include-fragments ."
 
+[tasks.lint-gh-actions]
+run = "zizmor .github/"
+
 [tasks.lint-all]
 depends = ["lint", "lint-links"]
 
+[tasks.lint-rest]
+description = "All lints not covered by super linter"
+depends = ["lint-links", "lint-gh-actions"]
+
 [tasks.test]
 description = "Run integration tests"
 run = './scripts/run-acceptance-tests.sh {{arg(name="tag", default="latest")}}'