Merge branch 'main' into dependabot/npm_and_yarn/website/npm_and_yarn-73ea615029

Author: coliff

.github/workflows/codeql-analysis.yml

@@ -11,6 +11,9 @@ on:
       - '!dependabot/**'
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   analyze:
     name: Analyze

.github/workflows/labeler.yml

@@ -3,10 +3,16 @@ name: Pull Request Labeler
 on:
   - pull_request_target
 
+permissions:
+  contents: read
+
 jobs:
   triage:
+    permissions:
+      contents: read  # for actions/labeler to determine modified files
+      pull-requests: write  # for actions/labeler to add labels to PRs
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/labeler@v6
+      - uses: actions/labeler@634933edcd8ababfe52f92936142cc22ac488b1b # v6.0.1
         with:
           repo-token: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/publish.yml

@@ -6,6 +6,9 @@ on:
       - published
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest

.github/workflows/super-linter.yml

@@ -30,7 +30,7 @@ jobs:
           persist-credentials: false
 
       - name: Super-linter
-        uses: super-linter/super-linter/[email protected]
+        uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
         env:
           DEFAULT_BRANCH: main
           FILTER_REGEX_EXCLUDE: '/test/'
@@ -46,7 +46,6 @@ jobs:
           VALIDATE_CSS_PRETTIER: false
           VALIDATE_EDITORCONFIG: false
           VALIDATE_GIT_COMMITLINT: false
-          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_HTML: false
           VALIDATE_HTML_PRETTIER: false
           VALIDATE_JAVASCRIPT_ES: false

.github/workflows/sync-labels.yml

@@ -17,7 +17,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: micnncim/action-label-syncer@v1
+      - uses: micnncim/action-label-syncer@3abd5ab72fda571e69fffd97bd4e0033dd5f495c # v1.3.0
         with:
           token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.repository }}

.github/workflows/test.yml

@@ -9,6 +9,9 @@ on:
       - '**/*.md'
       - '**/*.mdx'
 
+permissions:
+  contents: read
+
 jobs:
   lint:
     runs-on: ubuntu-latest
@@ -30,6 +33,9 @@ jobs:
         run: npm run lint
 
   build:
+    permissions:
+      actions: write  # for styfle/cancel-workflow-action to cancel/stop running workflows
+      contents: read  # for actions/checkout to fetch code
     runs-on: ${{ matrix.os }}
     needs: lint
     strategy:
@@ -43,7 +49,7 @@ jobs:
 
     steps:
       - name: 🛑 Cancel Previous Runs
-        uses: styfle/[email protected]
+        uses: styfle/cancel-workflow-action@85880fa0301c86cca9da44039ee3bb12d3bedbfa # 0.12.1
         with:
           access_token: ${{ secrets.GITHUB_TOKEN }}
 
@@ -69,23 +75,23 @@ jobs:
 
       - name: Run tests
         if: matrix.os != 'ubuntu-latest'
-        uses: nick-invision/retry@v3
+        uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
         with:
           timeout_minutes: 20
           max_attempts: 3
           command: npm run test
 
       - name: Run coverage
         if: matrix.node == '20' && matrix.os == 'ubuntu-latest'
-        uses: nick-invision/retry@v3
+        uses: nick-invision/retry@ce71cc2ab81d554ebbe88c79ab5975992d79ba08 # v3.0.2
         with:
           timeout_minutes: 20
           max_attempts: 3
           command: npm run test:coverage
 
       - name: ⬆️ Upload coverage to Codecov
         if: matrix.node == '20' && matrix.os == 'ubuntu-latest'
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
         with:
           files: ./coverage/coverage-final.json
           name: codecov-dev

.github/workflows/website.yml

@@ -13,8 +13,14 @@ on:
       - .github/workflows/website.yml
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
+    permissions:
+      contents: read  # for actions/checkout to fetch code
+      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results
     runs-on: ubuntu-latest
     steps:
       - name: ⬇️ Checkout