cleaning up some recommended security settings, for actions

.github/workflows/buildbundles.yml

@@ -9,14 +9,17 @@ on:
 jobs:
   Generating-Bound-Versions:
     runs-on: ubuntu-latest
+    permissions:
+          pull-requests: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
       - run: ./tools/InstallUbuntuBuildDependencies.sh
       - run: ./tools/PreCheckinUpdate.sh
-      #- run: mkdir ./docs/bound_docs & df > ./docs/bound_docs/foo.pdf
       - name: Upload bound_docs as artifact
         uses: actions/upload-artifact@v4
         with:
@@ -29,11 +32,14 @@ jobs:
   Create-Release:
     needs: Generating-Bound-Versions
     runs-on: ubuntu-latest
-    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
     permissions:
-      contents: write
+          contents: write
+
+    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
 
       - name: Download bound_docs artifact
         uses: actions/download-artifact@v4
@@ -71,10 +77,10 @@ jobs:
           prerelease: ${{ !startsWith(github.ref, 'refs/tags/v') }}
 
       - name: Upload all release files
-        uses: softprops/action-gh-release@v1
+        uses: actions/create-release@v1
         with:
           tag_name: ${{ steps.tag.outputs.tag }}
-          files: |
+          artifacts: |
             ./release-files/*.docx
             ./release-files/*.epub
             ./release-files/*.pdf

.github/workflows/markdownlint.yml

@@ -9,13 +9,17 @@ on:
 jobs:
   run-markdownlint:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     steps:
     - name: check out code
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: run markdownlint
-      uses: DavidAnson/markdownlint-cli2-action@v18.0.0
+      uses: DavidAnson/markdownlint-cli2-action@992badcdf24e3b8eb7e87ff9287fe931bcb00c6e
       with:
         globs: |
           **/*.md

.github/workflows/publish_mkdocs.yml

@@ -8,12 +8,6 @@ on:
   # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
 # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
@@ -24,9 +18,14 @@ jobs:
   # Build job
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
       - name: Set up Python
         uses: actions/setup-python@v4
         with:
@@ -57,6 +56,10 @@ jobs:
       name: github-pages
       url: ${{ steps.deployment.outputs.page_url }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pages: write
+      id-token: write
     needs: build
     steps:
       - name: Deploy to GitHub Pages

.github/workflows/sanitycheck.yml

@@ -9,10 +9,14 @@ on:
 jobs:
   run-misspell:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
 
     steps:
     - name: check out code
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: install misspell
       run: |
@@ -24,10 +28,15 @@ jobs:
 
   run-sanitycheck:
     runs-on: ubuntu-22.04
+    permissions:
+        contents: read
 
     steps:
     - name: check out code
       uses: actions/checkout@v4
+      with:
+        persist-credentials: false
 
     - name: detect non-ASCII encoding and trailing space
       run: python3 ./main/sanitycheck.py
+

.github/workflows/stale.yml

@@ -9,6 +9,8 @@ on:
 jobs:
   stale:
     runs-on: ubuntu-22.04
+    permissions:
+      contents: read
     steps:
       - uses: actions/stale@v9
         with:

.github/workflows/zizmor.yml

@@ -0,0 +1,26 @@
+name: GitHub Actions Security Analysis with zizmor
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["**"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    name: Run zizmor
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      contents: read # only needed for private repos
+      actions: read # only needed for private repos
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor
+        uses: zizmorcore/zizmor-action@5ca5fc7a4779c5263a3ffa0e1f693009994446d1 # v0.1.2

tools/Banner.Template.html

@@ -39,6 +39,6 @@
 }
 
 console.log("DEBUG ----");
-document.getElementById("bannerText").innerHTML=getQueryVariable("title");
+document.getElementById("bannerText").innerText=getQueryVariable("title");
 
 </script>