maint: fix gha zizmor findings

.github/actions/test-coverage/action.yml

@@ -36,7 +36,7 @@ runs:
       run: |
         uv run coverage json
         echo "COVERAGE=$(jq '.totals.percent_covered_display|tonumber' coverage.json)" >> $GITHUB_ENV
-    - uses: mshick/add-pr-comment@v2
+    - uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8
       if: ${{ github.event_name == 'pull_request' }}
       with:
         message: |

.github/workflows/publish-documentation.yml

@@ -17,6 +17,8 @@ jobs:
       url: https://pypi.org/p/fakeredis
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Set up Python
         uses: actions/setup-python@v5
         with:

.github/workflows/publish.yml

@@ -10,13 +10,15 @@ env:
   PYPI_TEST_URL: https://test.pypi.org/p/django-tasks-scheduler
 
 jobs:
-
   build:
     name: Build distribution 📦
     runs-on: ubuntu-latest
-
+    permissions:
+      id-token: write  # IMPORTANT: this permission is mandatory for trusted publishing
     steps:
     - uses: actions/checkout@v4
+      with:
+        persist-credentials: false
     - name: Set up Python
       uses: actions/setup-python@v5
       with:

.github/workflows/test.yml

@@ -13,9 +13,12 @@ jobs:
   ruff:
     runs-on: ubuntu-latest
     name: "ruff on code"
+    permissions:
+      contents: read
     steps:
       - uses: actions/checkout@v4
-
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v6
       - uses: actions/setup-python@v5
@@ -42,7 +45,8 @@ jobs:
             django-version: '5.2'
             broker: 'redis'
             coverage: yes
-
+    permissions:
+      pull-requests: write
     services:
       redis:
         image: redis:7.2.2
@@ -69,6 +73,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@v4
+        with:
+          persist-credentials: false
       - name: Install uv
         uses: astral-sh/setup-uv@v6
       - uses: actions/setup-python@v5
@@ -120,7 +126,7 @@ jobs:
 
       - name: Create coverage badge
         if: ${{ matrix.coverage == 'yes' && github.event_name == 'push' }}
-        uses: schneegans/dynamic-badges-action@v1.7.0
+        uses: schneegans/dynamic-badges-action@7142847813c746736c986b42dec98541e49a2cea
         with:
           auth: ${{ secrets.GIST_SECRET }}
           gistID: b756396efb895f0e34558c980f1ca0c7
@@ -141,6 +147,6 @@ jobs:
     needs: test-regular
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v6
+      - uses: release-drafter/release-drafter@b1476f6e6eb133afa41ed8589daba6dc69b4d3f5
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/zizmor.yml

@@ -0,0 +1,15 @@
+rules:
+  unpinned-images:
+    ignore:
+      - 'test.yml'
+      - 'test-dragonfly.yml'
+  unpinned-uses:
+    config:
+      policies:
+        actions/*: any
+        astral-sh/*: any
+        pypa/gh-action-pypi-publish: any
+  github-env:
+    ignore:
+      - 'action.yml:36:7'
+      - 'action.yml:28:7'